RSS
 

Hackvent 2019: Day 11

11 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 11 December 2019

 

Challenge

HV19.11 Frolicsome Santa Jokes API

 

Html file mirror: FSJA API Description

Solution

We have the spec for the FSJA API that the elves have made. We use Postman to play around with the API to get a feel for how it works.

Following the instructions, we are able to register a new user and authenticate to get a token.
We use the following payload for our user data:

Upon logging in with the /fsja/login  endpoint we get a token which looks like this:

The token looks like base64 encoded data. In fact, it happens to be a JWT token.

We finally use the /fsja/random  endpoint to get a joke:

The platinum field stands out to me the most.
As a random hunch, I decide to register a user and provide the  platinum field value in the payload myself like so:

I generate another joke and the API kindly provides us with our flag:

Flag:  HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}

 

Bonus

This challenge also contained the solution to HV19.H2 Hidden Three

 
No Comments

Posted in Hackvent 2019

 

Leave a Reply