Table of Contents

  1. Challenge Overview

  2. Reconnaissance

  3. Application Enumeration

  4. Vulnerability Discovery

  5. Exploitation - IDOR Attack

  6. Flag Capture

  7. Root Cause Analysis

  8. Remediation

  9. Key Takeaways

Challenge Overview

"Welcome to LoverLetterLocker, where you can safely write and store your Valentine's letters. For your eyes only?"

Field

Details

Target URL

http://10.82.165.52:5000

Tech Stack

Python / Flask (Werkzeug)

Vulnerability

IDOR (Insecure Direct Object Reference)

Flag

THM{1_c4n_r3ad_<REDACTED>}

The challenge hints at a private letter storage application. The phrase "For your eyes only?" in the description - with a question mark - is a deliberate clue that the privacy of the letters may be compromised.

Reconnaissance

Port Scanning

The first step was to confirm what service is running on the target.

nmap -sV -p 5000 10.82.165.52

Output:

PORT     STATE SERVICE VERSION
5000/tcp open  http    Werkzeug httpd 3.1.5 (Python 3.12.3)

Finding: Port 5000 is running a Python Flask web application via Werkzeug. This is a common Python web framework used in CTF challenges and is worth probing for Flask-specific vulnerabilities (e.g., debug mode, insecure secret keys, session forgery).

Application Enumeration

Initial Page Inspection

Browsing to the root URL reveals a basic web app with:

  • A home/landing page

  • Register functionality

  • Login functionality

curl -s http://10.82.165.52:5000/

The navigation bar shows Login and Register links, confirming this is a multi-user application. The existence of multiple user accounts raises the possibility of horizontal privilege escalation (accessing another user's data).

Account Registration

A test account was registered to gain access to the authenticated portion of the application.

curl -s -c cookies.txt -b cookies.txt \
  -X POST http://10.82.165.52:5000/register \
  -d "username=hacker&password=hacker123" \
  -D register_headers.txt

Response: HTTP 302 → /login with a Set-Cookie: session=... header, confirming successful registration.

Login & Session Analysis

curl -s -c cookies.txt -b cookies.txt \
  -X POST http://10.82.165.52:5000/login \
  -d "username=hacker&password=hacker123" \
  -D login_headers.txt

Response: HTTP 302 → /letters

The server sets a Flask session cookie. Flask session cookies are base64-encoded, zlib-compressed JSON blobs, signed (but not encrypted) with a server-side secret key. This means the payload can be decoded without the secret.

🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED

🌟 Get Instant Access

Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.

Membership

Why Go Premium?

  • Early access to full detailed writeups

  • Passwords for active CTF solutions

  • Advanced exploitation techniques

Upgrade once - unlock everything instantly.

💬 Need help while solving?

I’ve got your back - reach out anytime:
Email: [email protected]

Keep hacking, keep learning, keep winning. 🎯

Keep Reading

© 2026 Andrés.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv