The description of this challenge was " I saw someone's screen and it looked like they stayed logged in, somehow... " and a pcap file was provided for donwload.

After looking for a while inside the pcapng file i found an interesting request to /jwtlogin

I tried to make a request but all I got was this :

"description": "Request does not contain an access token",
"error": "Authorization Required",
"status_code": 401
So i realized that we have to create a jwt token to get the authorization.

For hours I kept trying to create tokens that used the username field, since in the other challenges I had found an email "true.grit@umbccd.io" , but nothing... So I tried to log in from /staff.html by inserting in the username field "true.grit@umbccd.io" without putting any password, intercepting the request with burp.

It was the right move because in the header of the error page i found this -----> " JWT 'identity'=31337; Path=/ " and this is very useful for us because we know that the jwt token is using the identity and username field ( even if they are deprecated ).

To finish this challenge i just went again to /jwtlogin intercepting the request with burp , then i put the token in the header like this:

Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZGVudGl0eSI6MzEzMzcsInVzZXJuYW1lIjoidHJ1ZS5ncml0QHVtYmNjZC5pbyIsImlhdCI6IjE1ODY2OTg2NDYiLCJleHAiOiIxNTg2Njk5NTE3IiwibmJmIjoiMTU4NjY5ODUxNyJ9._eJaJQszRDarG_lY_xu7Yt7nTksNzFiEBE1-N6B5eXY

After i sent the modified request with the jwt token i got the flag :


Flag: DawgCTF{y0u_d0wn_w!t#_JWT?}