PicoCTF Web Challenge Writeup: NO FA

Overview

We're given a Flask web application with a login system and 2FA (Two-Factor Authentication). The goal is to log in as admin and retrieve the flag.

Category: Web Exploitation | Difficulty: Medium | Tools: hashcat, flask-unsign, sqlite3

Files provided:

• app.py — Flask application source code
• users.db — SQLite database with user credentials

---

Step 1 — Recon: Examining the Database

sqlite3 users.db

.mode column
.headers on
SELECT * FROM users;

Key observations:

• admin is the only account with two_fa = 1
• Admin uses a different domain (nfs.com vs nfa.com for regular users)
• The admin password is stored as a SHA-256 hash: c20fa16907343eef642d10f0bdb81bf629e6aaf6c906f26eabda079ca9e5ab67

---

Step 2 — Cracking the Password Hash

The 64-character hash is SHA-256 (-m 1400 in hashcat):

hashcat -m 1400 c20fa16907343eef642d10f0bdb81bf629e6aaf6c906f26eabda079ca9e5ab67 /usr/share/wordlists/rockyou.txt

Result — cracked in under 5 seconds:

c20fa169...ab67:apple@123

Password: apple@123

---

Step 3 — Analyzing the 2FA Code

Looking at app.py, the OTP generation stood out immediately:

# OTP Generation
otp = str(random.randint(1000, 9999))  # Only 9000 possible values!
session['otp_secret'] = otp            # Stored in SESSION COOKIE
session['otp_timestamp'] = time.time()

# OTP Verification
if stored_otp and otp == stored_otp and (time.time() - timestamp) < 120:

Two critical vulnerabilities here:

1. Tiny keyspace — only 9,000 possible OTP values (1000–9999), trivially brute-forceable
2. OTP stored in the client-side session cookie — Flask session cookies are base64-encoded and fully readable without the secret key

---

Step 4 — Reading the OTP from the Session Cookie

After logging in with admin / apple@123, the server redirects to /two_fa and sets a session cookie. Grab it from Browser DevTools → Application → Cookies, then decode it:

pipx install flask-unsign
flask-unsign --decode --cookie "<cookie_value>"

Output:

{
  "logged": "false",
  "otp_secret": "1149",
  "otp_timestamp": 1779522221.27,
  "username": "admin"
}

The OTP (1149) is sitting right there in plaintext.

Flask signs cookies to prevent tampering — but it does not encrypt them. Anyone can read the contents without knowing the secret key.

---

Step 5 — Submitting the OTP

Navigated to /two_fa, entered 1149, and got:

Login successful!

Flag captured!

---

Vulnerability Summary

1. Weak password (apple@123) — Present in rockyou.txt, leads to full credential compromise.

2. OTP stored in unencrypted session cookie — The most critical flaw. The OTP is readable by any client without needing the server's secret key.

3. Small OTP keyspace (9,000 values) — Even without cookie access, this is brute-forceable in seconds.

4. No rate limiting on /two_fa — No protection against automated OTP guessing.

---

Lessons Learned

• Never store secrets in Flask session cookies. They are signed, not encrypted. Use server-side sessions (Flask-Session with Redis or a database backend) to keep sensitive data off the client.
• Use cryptographically secure OTP generation. Replace random.randint() with the secrets module — secrets.randbelow() or secrets.token_hex().
• Enforce strong passwords. apple@123 should never pass any reasonable password policy. Use bcrypt or argon2 for hashing instead of raw SHA-256.
• Adopt TOTP standards. Rolling your own OTP system is risky. Use TOTP (RFC 6238) with libraries like pyotp, compatible with Google Authenticator and Authy.

---

Thanks for reading! If you found this helpful, consider following for more CTF writeups.