web crypto

Easy MFA

Punkty: 194
Rozwiązań: 21

Generating passwords is hard, so leave this us! We're also working on MFA.

https://easymfa.ecsc25.hack.cert.pl/


app.py

import base64
import random
from flask import Flask, request, abort, jsonify
from flask_jwt_extended import jwt_required, get_jwt_identity, create_access_token, verify_jwt_in_request, JWTManager


def get_random_string(length):
    return random.getrandbits(length * 8).to_bytes(length, 'big')


def get_mfa():
    return base64.b64encode(get_random_string(8)).decode()


app = Flask(__name__)
app.config["JWT_SECRET_KEY"] = get_random_string(32)
jwt = JWTManager(app)

FLAG = open("flag.txt", 'r').read()
random_passwords = [base64.b64encode(get_random_string(8)).decode() for _ in range(384)]


@app.route('/generate', methods=['GET'])
def generate_password():
    token = verify_jwt_in_request(optional=True)
    if token is None:
        index = 0
    else:
        _, jwt_data = token
        index = (jwt_data['current'] + 1) % len(random_passwords)
    access_token = create_access_token(identity="user", additional_claims={'current': index})
    return jsonify({'token': access_token, 'password': random_passwords[index]})


@app.route('/flag', methods=['POST'])
@jwt_required()
def flag():
    current_user = get_jwt_identity()
    otp = get_mfa()
    if current_user == "admin" and request.json['OTP'] == otp:
        return jsonify({"flag": FLAG})
    else:
        abort(403, f"Nope, it was {otp}")


@app.get("/")
def index():
    return "You can't connect to this API with your browser. Check the source code."


if __name__ == "__main__":
    app.run()

Format flagi: ecsc25{litery_cyfry_i_znaki_specjalne}.
W razie wątpliwości lub pytań dotyczących konkursu zapraszamy na naszego Discorda: https://discord.gg/gAtRKa2rcn.

Aby wysłać flagę, musisz się zalogować.