Rating:
The description of this challenge was " I saw someone's screen and it looked like they stayed logged in, somehow... " and a pcap file was provided for donwload.
After looking for a while inside the pcapng file i found an interesting request to /jwtlogin
![token](https://user-images.githubusercontent.com/59454895/79248691-0e555180-7e74-11ea-83c0-4340f2d79920.PNG)
I tried to make a request but all I got was this :
{
"description": "Request does not contain an access token",
"error": "Authorization Required",
"status_code": 401
}
So i realized that we have to create a jwt token to get the authorization.
For hours I kept trying to create tokens that used the username field, since in the other challenges I had found an email "[email protected]" , but nothing... So I tried to log in from /staff.html by inserting in the username field "[email protected]" without putting any password, intercepting the request with burp.
It was the right move because in the header of the error page i found this -----> " JWT 'identity'=31337; Path=/ " and this is very useful for us because we know that the jwt token is using the identity and username field ( even if they are deprecated ).
To finish this challenge i just went again to /jwtlogin intercepting the request with burp , then i put the token in the header like this:
Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6MzEzMzcsInVzZXJuYW1lIjoidHJ1ZS5ncml0QHVtYmNjZC5pbyIsImlhdCI6IjE1ODY2OTg2NDYiLCJleHAiOiIxNTg2Njk5NTE3IiwibmJmIjoiMTU4NjY5ODUxNyJ9._eJaJQszRDarG_lY_xu7Yt7nTksNzFiEBE1-N6B5eXY
After i sent the modified request with the jwt token i got the flag :
![ahahahah](https://user-images.githubusercontent.com/59454895/79263641-1d93c980-7e8b-11ea-891c-5c90d1c1c85a.PNG)
Flag: DawgCTF{y0u_d0wn_w!t#_JWT?}