~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • Writeups

    TryHeartMe2026


    Recon:

    We first get all our exposed ports from Nmap, to see what we can work with.

    We enumerate with nmap and return port 22 and 5000

    #We check out the website. The website is a store front with a login function. We use BURP suite for some IDOR and SQL. We make an account.

    !!THE WEBSITE USES JWT TOKENS!!

    The JWT token are encoded for URL using base64 The syntax of JWT token is seperated into 3 sections separated by 2 dots header.payload.trailer

    The header contains our encoding instructions(What we expect in the trailer)

    Payload contains role: and credits: We can escalate to admin with infinite money. The Trailer applies based on the header encoding instruction(or none if we remove it). ___

    Payload crafting:

    We can use the JWT.io or cyberchef

    We used the following payload

    eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJlbWFpbCI6ImJlZXBicEBvb2Jhb29iYS5jb20iLCJyb2xlIjoiYWRtaW4iLCJjcmVkaXRzIjo5OTk5LCJpYXQiOjE3NzEzNDY4MzYsInRoZW1lIjoidmFsZW50aW5lIn0.

    We are now admin

    We can access the flag by continuously adding our JWT into every page BURP suite loads

    THM{v4l3nt1n3_jwt_c00k13_t4mp3r_4dm1n_sh0p}


    Notes:

    JSON web tokens and base64 are not proper security features. Yes, its better than plaintext but, in this case they might as well just send full plaintext credentials. All that’s needed to fully compromise this machine is to encode JWT with base64 and send them over.


    Tools: