Ben Tennyson’s Omnitrix holds a mysterious and powerful form called Materia Grigia — a creature that only those with the sharpest minds can access. It’s hidden deep within the system, waiting for someone clever enough to unlock it. Only the smartest can access what’s truly hidden. Can you outsmart the system and reveal the flag?
Website: http://ben10.challs.srdnlen.it:8080
Creating an account and logging into the site, it appears as follows:
Home Page
Trying to access the last image of the site, I receive the following error message:
Ben 10
Consequently, I believe privileged access to the page is required. By examining the attached files, I noticed that every time a user was registered, another account was created in the database with admin privileges. The username of this account was formatted as “admin^username^token”. This can be observed in the following function in the app.py file:
@app.route('/register',methods=['GET','POST'])defregister():"""Handle user registration."""ifrequest.method=='POST':username=request.form['username']password=request.form['password']ifusername.startswith('admin')or'^'inusername:flash("I don't like admins","error")returnrender_template('register.html')ifnotusernameornotpassword:flash("Both fields are required.","error")returnrender_template('register.html')admin_username=f"admin^{username}^{secrets.token_hex(5)}"admin_password=secrets.token_hex(8)try:conn=sqlite3.connect(DATABASE)cursor=conn.cursor()cursor.execute("INSERT INTO users (username, password, admin_username) VALUES (?, ?, ?)",(username,password,admin_username))cursor.execute("INSERT INTO users (username, password, admin_username) VALUES (?, ?, ?)",(admin_username,admin_password,None))conn.commit()exceptsqlite3.IntegrityError:flash("Username already exists!","error")returnrender_template('register.html')finally:conn.close()flash("Registration successful!","success")returnredirect(url_for('login'))returnrender_template('register.html')
Now, all we need is to find the user and exploit the password reset function for the admin user to gain access and extract the flag. I noticed that the admin username is exposed on the homepage after logging in, inside an HTML tag with CSS display:none, making it visible through the page source using ChromeDevTools:
In fact, by viewing the page source, we can retrieve the admin username:
Admin Username
now we can proceed to the exploit.
🎯 Solution Path
Exploitation Steps
Initial setup
The initial phase involves registering a user account. Afterward, we need to log in and retrieve the username of the admin account that was created alongside the user account. This admin username is displayed on the homepage, as mentioned earlier. Once we have obtained the username, we can move on to the actual exploit.
Exploitation
The exploit involves resetting the password of the admin account to gain access. However, on the reset screen, we can only reset the password of the user account because a check is implemented in the reset function to block any user whose username starts with admin. Therefore, we begin the reset process with the normal user account created earlier to generate a valid reset token:
Reset Token
Once the token is generated, we gain access to the reset page. Here, no checks are applied on the type of account we want to reset; we only need to know the account name we obtained in the initial phase. Therefore, we proceed to reset the password of the admin account associated with our user account:
Admin Password Reset
Once the reset is completed, we simply need to log in with the admin account whose password we just reset, and visit the route /ben/10, which is the last photo in the list, to obtain the flag.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The exploit uses requests and BeautifulSoup for extracting the user, the token, and the flag. It literally performs the step-by-step actions described previously: first, it creates an account using the Faker library to generate fake credentials. Then, it logs in and extracts the admin username associated with the user created earlier. After that, it resets the password for the admin user. Finally, after logging in again and visiting the /ben/10 route, it extracts the flag using BeautifulSoup (bs4) and prints it.
