Waywitch

Challenge Description

(NOTE: use https:// to connect to the instance) Hidden in the shadows, a coven of witches communicates through arcane tokens, their messages cloaked in layers of dark enchantments. These enchanted tokens safeguard their cryptic conversations, masking sinister plots that threaten to unfold under the veil of night. However, whispers suggest that their protective spells are flawed, allowing outsiders to forge their own charms. Can you exploit the weaknesses in their mystical seals, craft a token of your own, and infiltrate their circle to thwart their nefarious plans before the next moon rises?

Categoria: Web
Dificultad: Muy Fácil

Solution

Nos dan el codigo de la aplicacion lo primero que identificamos es el secret key para generar tokens validos.

src/util.js

const jwt = require("jsonwebtoken");

function getUsernameFromToken(token) {
  const secret = "halloween-secret";

  try {
    const decoded = jwt.verify(token, secret);
    return decoded.username;
  } catch (err) {
    throw new Error("Invalid token: " + err.message);
  }
}

module.exports = {
  getUsernameFromToken,
};

Para acceder a la funcion de tickets requerimos ser admin como muestro el codigo.

src/routes/index.js

router.get("/tickets", async (req, res) => {
  const sessionToken = req.cookies.session_token;

  if (!sessionToken) {
    return res.status(401).json(response("No session token provided"));
  }

  try {
    const username = getUsernameFromToken(sessionToken);

    if (username === "admin") {
      try {
        const tickets = await db.get_tickets();
        return res.status(200).json({ tickets });
      } catch (err) {
        return res
          .status(500)
          .json(response("Error fetching tickets: " + err.message));
      }
    } else {
      return res
        .status(403)
        .json(response("Access denied. Admin privileges required."));
    }
  } catch (err) {
    return res.status(400).json(response(err.message));
  }
});

Al tener el secret podemos generar nuestros propios tokens y modificando el valor a admin.

Moficicamos la cookie y ahora podemos acceder al endpoint y obtener la flag.