Skip to main content

A_Massive_Problem

Challenge

Imported from local notes.md.

Solution

Original Notes

A_Massive_Problem

Challenge Summary

  • Given: a Flask web application source archive and a live instance at http://23.179.17.92:5556.
  • Goal: obtain the administrator-only flag.
  • Constraints: flag format is CIT{...}.

Initial Recon / Triage

  • Observations: the app is a small Flask service backed by SQLite with routes for registration, login, profile editing, dashboard access, and an admin page.
  • File identification: the main logic is in starting_files/extracted/a-massive-problem/app/app.py.
  • Entry points: POST /api/register, POST /api/login, POST /api/profile, and GET /admin.

Hypotheses & Approach

  • The admin page is protected only by session['role'] == 'admin'.
  • Both account creation and profile update use record.update(incoming), which lets user-controlled JSON overwrite server-managed fields such as role.
  • Registering a new account with role=admin should create an administrator directly, allowing access to /admin after login.

Execution Steps (Reproducible)

Stage 1

Commands:

cd /root/cit2026CTF/A_Massive_Problem/starting_files
sha1sum a-massive-problem.zip
unzip -o a-massive-problem.zip -d extracted

Results:

  • The archive hash matched the challenge prompt: d1799d474a5ee0e222fbc7df3cce00772dc4de9b.
  • Extracting the archive revealed a Flask app with the vulnerable registration logic in app.py.

Stage 2

Commands:

cd /root/cit2026CTF/A_Massive_Problem
python3 artifacts/exploit.py

Results:

  • The exploit created a fresh account while supplying "role": "admin" in the registration JSON.
  • Login succeeded with that forged account.
  • Requesting /admin returned the flag.

Relevant vulnerable logic:

record = {
	'username': username,
	'password': password,
	'role': 'standard',
	'full_name': full_name,
	'title': title,
	'team': team
}
record.update(incoming)

Artifacts Produced

  • artifacts/exploit.py: reproducible exploit script for the live service.
  • artifacts/live_exploit.json: captured username, response statuses, and recovered flag.

Flag

CIT{M@ss_@ssignm3nt_Pr1v3sc}