## Web4 (Web, 200pts)

> Bruteforce the JWT secret to become admin
>
> [http://139.59.69.138:17723](http://139.59.69.138:17723)


The site sets this cookie `auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjpudWxsfQ.pgMKdpUKL8fYGe79FRUR2mBLCsJRGI1DjVDwrRs_9mo`, which obviously is a [JWT](https://jwt.io/introduction/).

The `Setec astronomy` is a reference to the [Sneakers (1992 film)](https://en.wikipedia.org/wiki/Sneakers_(1992_film)) in which `Setec Astronomy` is an anagram of `Too many secrets`.


Using the debugger at [jwt.io](https://jwt.io/#debugger) we confirm that `Too many secrets` is the secret used to create the JWT. Knowing the secret we can edit the payload of the token, so we set the user to `admin`.


Setting the new JWT as the cookie value we are logged in as `admin`.


Original writeup (https://github.com/greunion/ctf-write-ups/tree/master/2018-nullcon/web/200-web4).