We have an application which signs a value that you send to it and stores it in the username cookie.
From the homepage we can guess that we need to have a cookie containing the "admin" value, but sadly the server rejects our request when we ask it to sign username="admin".
We also received some files with the challenge, from them we can tell that the server is running a django behind a nginx proxy (which also serves static files).
Here are our first vulnerability in the nginx.conf file:
# static files
location /static {
alias /srv/app/static/;
}
the location value does not end with a / but the alias value does. Which means that if we query: https://unchained.ctf.insecurity-insa.fr/static../thing
then the location will match and will concatenate ../thing to the alias, which gives us this local file access: /srv/app/static/../thing
As we know the server is running a django application and we know where it is located (Dockerfile, uwsgi file etc..) We can download the settings.py file \o/
https://unchained.ctf.insecurity-insa.fr/static../unchained/settings.py
Which gives us the SECRET_KEY which is used during the signing process in django.
Next, we just have to generate a valid cookie for admin and our job is done.
Please see exploit/exploit for the full exploit and signing process