https://blazskufca.com/tags/web/Recent content in Web on Blaž ŠkufcaHugoen-usSat, 28 Mar 2026 00:00:00 +0000https://blazskufca.com/projects/dctf_2026/Sat, 28 Mar 2026 00:00:00 +0000https://blazskufca.com/projects/dctf_2026/<h1 id="intro">Intro</h1> <p><a href="https://dctf.si/challenges#Nom%20Nom-15">Nom Nom (DCTF 2026)</a> looks like a small Flask login app with a standard password-reset feature, but the reset token logic is fundamentally broken.</p> <p>Our goal is to take over <code>blackhole@dragonsec.si</code>, the only account that reveals the flag on <code>/dashboard</code>. The app generates reset tokens using a custom UUIDv1-style function where most fields remain constant across requests, leaving only a timestamp-derived portion that varies.</p> <p>In this writeup we will reverse the token structure, recover the fixed portion from a reset token we control, brute-force the short timestamp window for the victim&rsquo;s token, and use it to reset the victim&rsquo;s password and capture the flag.</p>