“Voting” was a web service at the Enowars3 attack/defense CTF.

Flagbot username was public. Cookies were sha512() of flagbot username

The service was written in Python with an sqlite db and flask. You could register an account and then vote yes/no to some default votes and also create your own votes. When creating your own votes you could place a secret message there, which was only printet when the creator of a vote was visiting the vote page.

{% if session[2] == pollCreator and pollCreatorsNotes|length > 0 %}
	<h3>Your private notes</h3>
	<p>{{ pollCreatorsNotes }}</p>

The login function was really simple

def login(userName, password):
	if auth(userName, password):
		return createSessionAuthenticated(userName)
	return None

here it was already obvious that the cookie only depends on the username.

def createSessionAuthenticated(userName):
	h = hashlib.sha512()
	sid = h.hexdigest()

	db = sqlite3.connect("data.sqlite3")
	c = db.cursor()
	c.execute("INSERT OR REPLACE INTO sessions VALUES (:sid, (SELECT datetime('now','+1 hour')), :userName);", {"sid": sid, "userName": userName})

	return (sid, 3600)

Looking at createSessionAuthenticated() confirmed this. My “fix” :D was really simple then.


No exploit script here. The code is kind of messy and really boring. Just read the vote id’s from /index.html -> read the vote creators usernames -> sha512(username) -> read the flag