Writeups
TryHeartMe2026
Recon:
We first get all our exposed ports from Nmap, to see what we can work with.
We enumerate with nmap and return port 22 and 5000
#We check out the website. The website is a store front with a login function. We use BURP suite for some IDOR and SQL. We make an account.
!!THE WEBSITE USES JWT TOKENS!!
The JWT token are encoded for URL using base64 The syntax of JWT token is seperated into 3 sections separated by 2 dots header.payload.trailer
The header contains our encoding instructions(What we expect in the trailer)
Payload contains role: and credits: We can escalate to admin with infinite money. The Trailer applies based on the header encoding instruction(or none if we remove it). ___
Payload crafting:
We can use the JWT.io or cyberchef
We used the following payload
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJlbWFpbCI6ImJlZXBicEBvb2Jhb29iYS5jb20iLCJyb2xlIjoiYWRtaW4iLCJjcmVkaXRzIjo5OTk5LCJpYXQiOjE3NzEzNDY4MzYsInRoZW1lIjoidmFsZW50aW5lIn0.
We are now admin
We can access the flag by continuously adding our JWT into every page BURP suite loads
THM{v4l3nt1n3_jwt_c00k13_t4mp3r_4dm1n_sh0p}
Notes:
JSON web tokens and base64 are not proper security features. Yes, its better than plaintext but, in this case they might as well just send full plaintext credentials. All that’s needed to fully compromise this machine is to encode JWT with base64 and send them over.