Six-Seven — alfactf

Description

Сикс-севен

Сервис: sixseven

English summary: the challenge provided a live coffee shop service at https://sixseven-i15fbvlm.alfactf.ru/ and a source archive at https://alfactf.ru/files/sixseven_git_4547ca8.tar.gz. The goal was to recover the coupon for a special drink and then extract the real flag from the returned QR code.

Analysis

Recon

The source archive was unusually useful because it contained a bundled .git directory. That immediately made git history part of the attack surface.

The first promising artifact was commit a28c686 with message Fix: blur flag. Older revisions of app/app.py contained a hardcoded string:

alfa{i_love_coffee_so_much!!!}

That looked like a flag at first, but it was only an outdated placeholder from history. Submitting it failed, so it was a false lead, not the solution.

The real breakthrough came from reconstructing the application layout:

• the current Python Flask app handled registration, login, dashboard pages, espresso purchases, and the final QR rendering,
• nginx/default.conf showed that /api/ was proxied to a separate backend service,
• the first commit still contained the old Rust backend source in api/src/main.rs.

That Rust file documented the real backend endpoints:

• POST /api/create_profile
• POST /api/check_coupon
• GET /api/get_module
• POST /api/set_module
• GET /api/calc_shares
• POST /api/combine_shares

Even though the Rust source was no longer present in the latest tree, probing the live target confirmed those routes still existed.

Session format

After registering normally through the Flask app, the sixseven_session cookie could be base64-decoded into JSON like:

{"user_id":2051}

This did not give an auth bypass by itself, but it revealed the authenticated user_id required by the hidden /api/* routes.

Intended logic vs. actual bug

The frontend implements a Shamir-style loyalty card:

...