2.0 KiB
Difficulty
Easy
Category
Web
How To Solve
This time, simply modifying the URL doesn't help.
When you push the 'retrieve' button on the /profile page, you get a message telling you that you can only get the best brand when you like peanut butter. A quick look at the Chrome DevTools Network tab shows that this information is the result of a GET request to the server after the button click. Under the request header, you can see that a cookie named token is sent along. This is interesting. 
When visiting the /profile page, a GET request for profile information is made to the server. The server responds with the information but also requires the browser to set a cookie. That cookie is a JSON Web Token (JWT) with the name token in this case. You can use the Chrome DevTools to inspect the cookie. 
You can see that the cookie has the value eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiQ1RGIFBhcnRpY2lwYW50IiwibGlrZXNfcGVhbnV0X2J1dHRlciI6ZmFsc2V9._DG-nLXVTzNw_BoSQ240P6QNL9JbxRz6aWAgPFiXfVU. You can simple decode this JWT, using an online tool.
The obtained JSON is:
{
"role": "CTF Participant",
"likes_peanut_butter": false
}
In this tool, modify the JSON by setting likes_peanut_butter to true (this was the requirement for obtaining the 'best brand'). You now get a new JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiQ1RGIFBhcnRpY2lwYW50IiwibGlrZXNfcGVhbnV0X2J1dHRlciI6dHJ1ZX0.Ndo_jZn8fFltuKiZK9lyVoXyLuiueaPLUmuC7_0Y8j8.
In you Chrome DevTools, you can change the token cookie to the new JWT. Now, simply push the 'retrieve' button again to obtain the flag. Note that you should not refresh the page. That would result in a new GET request to obtain profile information and override the flag again to the old flag.
Flag
IGCTF{H3L4ES_PIND4K44SSSSSS}