WebsiteDiscord

Mr. Chatbot

Writeup for Mr. Chatbot (Web) - CTF@CIT CTF (2025) 💜

Description

"What's your prompt?"

The flag is in secrets.txt

Solution

We've got a chatbot.

At first I thought it was an LLM challenge but I checked the code and realised it was on a loop.

Nothing interesting but in the HTTP history I notice a value in the response.

So let's change the admin value.

Signature problems. I tried to brute force with rockyou with custom python script. I also wanted to see the difference between a token where "name":"0" and "name":"1".

Unfortunately the signature is different each time, e.g. if you send a sequence of requests from burp with the same username, the header and payload remain the same, but the signature changes each time.

I'm an idiot! Realised it's a Flask session cookie, not JWT 🤦‍♂️

I tried to crack the secret and got an error due the numbers in the JSON object. We can fix this with the --no-literal-eval flag.

Tried a few wordlists but it doesn't crack it. The CTF ended and annoyingly I realised that something I tried earlier was actually in the right direction! I had tried to submit username=1&admin=1 as parameters (when I still thought it was a JWT), and received an extremely long session cookie that decoded into some weird value. Turns out that weird value was a base64 string (clear now using the flask-unsign library) I should have decoded.

Notice it added a uid? It doesn't change the web app functionality though. My friend noticed the web server shows Werkzeug/3.1.3 Python/3.13.3 and had suggested SSTI, but it failed due to encoding. Perhaps now with an admin session, things will be different? I try a basic payload {{ 7 * 7}} from PayloadsAllTheThings as the username. When decoding the uid from the cookie, we see 49 at the beginning of the output.

Trying various other payloads to dump classes etc causes 500 server error! However, sending {{config.items()}} returns us more.

We decode it.

We have a session key e8c67e8a49e5238aebbb2cba257f3f77373af7eb864c36ae683e5629ad54b440 so we can now forge our own tokens!

Trying more commands, we see we have command execution.

Now let's just swap the id command with cat secrets.txt.

Flag: CIT{18a7fbedb4f3548f}

PreviousHow I Parsed your JSONNextKeeping Up with the Credentials

Last updated