Secrets

1) Can you identify the name of the token? (Format: String) (2 points)

We will upload the ticket to CyberChef to check

Search GG and see JWT decode

2) What is the structure of this token? (Format: Section.Section.Section) (2 points)

As seen, it includes: Header, Payload, Signature

3) What is the hint you found from this token? (Format: String) (2 points)

As seen “flag”: “BTL{_4_Eyes}”. The verdict will be _4_Eyes

4) What is the Secret? (Format: String) (2 points)

To decode we will use brute force, there is hashcat and john here I will use hashcat

You must first go to root

hashcat token.txt -m 16500 -a 3 ?a?a?a?a

• -m 16500 in Hashcat is used to crack JSON Web Tokens (JWT)

  

• -a 3 ?a?a?a?a in Hashcat is used for brute force

Since I already did it, I used Hashcat --show

yeh so the secret here is bT!0

5) Can you generate a new verified signature ticket with a low privilege? (Format: String.String.String) (2 points)

To get the answer to this question, there is a secret in the previous question, now change the value of admin from true to false

Because I don’t have admin rights hehe :>

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmbGFnIjoiQlRMe180X0V5ZXN9IiwiaWF0Ijo5MDAwMDAwMCwibmFtZSI6IkdyZWF0RXhwIiwiYWRtaW4iOmZhbHNlfQ.nMXNFvttCvtDcpswOQA8u_LpURwv6ZrCJ-ftIXegtX4

goodbye, thank you for reading until now //~//