The UniPwnie Experience: Login lvl 4 (Unsolved)

My user at this CTF: https://play.fe-ctf.dk/users/21

Task Link to heading

[curling], [remote]
Let's change tactics. I've had a friend help me out with this one. 
She's a Full Stack DeveloperTM. Fancy that.
Log in, get flag[link]

Solution Link to heading

I didn’t solve this, but I think I came close, so I wanted to post some notes for future reference.

For this login challenge we are presented with the familiar login form consisting of username and password input fields. This time around, there’s no interesting javascript being loaded so I fired up burp.

What I tried was taking a closer look at the headers being sent and recieved from the webserver. Here’s how the regular request looks, when we try to log in:

POST /login HTTP/1.1
Host: login-lvl4.hack.fe-ctf.dk
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: http://login-lvl4.hack.fe-ctf.dk
Connection: close
Referer: http://login-lvl4.hack.fe-ctf.dk/login?next=%2Fflag
Upgrade-Insecure-Requests: 1

username=daw&password=daws

If I change the request to GET /flag HTTP/1.1 instead of a POST I get an interesting reply:

HTTP/1.1 302 FOUND
Server: gunicorn
Date: Sun, 29 Oct 2023 07:51:51 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 225
Location: /login?next=%2Fflag
Vary: Cookie
Set-Cookie: session=.eJyrVopPy0kszkgtVrKKrlZSKAFSSrmpxcWJ6alKOkoBOamJxakKOfnpCpl5CiX5ConJyUBJhZKMzGKFAqAaPaXYWp1RfVj1xeoAA7cotThDySotMac4tRYAtk154A.ZT4PFw.Dmpnm6WMbghegQ4-s1eHPMVxsdQ; HttpOnly; Path=/

<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login?next=%2Fflag">/login?next=%2Fflag</a>. If not, click the link.

So, I’m given a cookie and the server tries to redirect me to a flag page, but I’m returned to the index page again. This time I have a cookie though! (No pun intended)

After an obscene amount of black metal music and coffee I figured out that the server likely ran python django, and found a tool that could decode cookies generated with django:

$ flask-unsign --decode --cookie '<cookie omitted for brevity>'
{'_flashes': [('message', 'Please log in to access this page.'), ('message', 'Please log in to access this page.'), ('message', 'Please log in to access this page.'), ('message', 'Please log in to access this page.'), ('message', 'Please log in to access this page.')], '_fresh': False}

The tool can also try to bruteforce the secret being used to create session cookies, but I didn’t have any luck.
So… no flag this time around - We’ll get’em next time!