Open aszx87410 opened 3 years ago
Quick query . When you mention /admin and /admin/user was blocked . did it asked you to login to http://172.105.84.156:5000/? Since there is admin_required decorator I believe it checked if current user is admin or not .?
As the method @app.route('/') checks for admin user. def index(): if current_user and current_user.is_authenticated and current_user.role.name == 'Administrator': return os.environ.get('Volga_flag') or 'Error, not found flag' return 'Hello, to get the flag, log in as admin'
I solved it a while ago so I am not sure, but I think it shows 403 forbidden or other error page, told me that I have no permission to view this page. It won't ask me to login because I already logged in.
Ok Thanks. Since this method @app.route('/') checks for user role I thought the first thing on site would be to login
flask-admin
Description
Incorrect usage of this library leads to serious consequences...
routes.py
Writeup
I have no idea how to solve this at first because I am not familiar with Python. But I want to solve this one so I go to check the documentation: https://flask-admin.readthedocs.io/en/latest/api/mod_base/#default-view
This part is strange because I haven't seen this usage in the documentation:
I guess there are some endpoints which are not blocked so I tried
/admin
,/admin/user
,/admin/user/
but all blocked.I believe there must be something but I am lazy to reproduce the environment locally so I checked youtube video: https://www.youtube.com/watch?v=0cySORIhkCg&ab_channel=PrettyPrinted
And I found useful url
/admi/user/new
http://172.105.84.156:5000/admin/user/new/
We can insert any user with admin role now! But what about password hash? how do I know what is the format?
The answer is: check youtube video again: https://www.youtube.com/watch?v=ysdShEL1HMM&ab_channel=PrettyPrinted
Found another useful url
/admin/user/edit?id=1
I searched the keyword:
pbkdf2:sha256:150000
and found this: https://www.cnblogs.com/jackadam/p/12196826.htmlIt seems
pbkdf2:sha256:150000$ODedbYPS$4d1bd12adb1eb63f78e49873cbfc731e35af178cb9eb6b8b62c09dcf8db76670
ishello
so I created an admin account with this password.I logged in with the account just created and successfully got the flag.