ruby_cookie #

from: buuctf [BSidesCF 2019]Mixer #

看到rack-cookie 找了个文章

require "uri"
require "base64"
require "pp"
encoded_string = "BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiRTBiNDJlNTgzNjJjOWFjNjU5NzJm%0ANzAwYmMxODczZTlkYzBiY2ZkMGI3NGZlYzE4NjBhNWRmNGY3NTg2NDg4NjkG%0AOwBGSSIMYWVzX2tleQY7AEYiJa5eOeNVt5U3U6b2OYRb%2Bz2Do4Uxpnpqkw5L%0AM%2BRPHR46%0A"

decoded_uri = URI.decode_www_form_component(encoded_string)
decoded_base64 = Base64.decode64(decoded_uri)
puts decoded_base64
begin
  object = Marshal.load(decoded_base64)
  pp object
rescue ArgumentError => e
  puts "ERROR: "+e.to_s
end

改改，运行

ruby test.rb

看到

{I"session_id:ETI"E0b42e58362c9ac65972f700bc1873e9dc0bcfd0b74fec1860a5df4f758648869;FI"
aes_key;F"%�^9�U��7S��9�[�=���1�zj�K3�O:
{"session_id"=>"0b42e58362c9ac65972f700bc1873e9dc0bcfd0b74fec1860a5df4f758648869",
 "aes_key"=>"\xAE^9\xE3U\xB7\x957S\xA6\xF69\x84[\xFB=\x83\xA3\x851\xA6zj\x93\x0EK3\xE4O\x1D\x1E:"}

aes key考虑一波解密，把密钥base64一下或者hex，试了上面的session_id 解不开

想到返回包中还有一个user cookie，得到

{"first_name":"123","last_name":"123","is_admin":0}

开了，直接该is_admin=1,在加密回hex发包回去

get flag