Nothing out of place. Checking the cookies we see what looks to be a JSON Web Token
jwt.io confirms that it’s a JWT and it’s using HS256 as the hashing algorithm. Let’s see if we can forge our own by cracking this one.
Using jwt-tool to crack the key
Time to forge our own admin JWT:
By changing the cookie value to our new JWT, we’ve accessed the admin account
Nothing seems to work here, and the only two options that do work kick back a 404.
Interesting. The URL that’s causing the error seems to be reflected on the page. Seems like we can control it.
Since the name of the challenge is ‘Template Shack’, let’s jump right into template injection
Template injection is a go!
we can look for the
we need it’s exact index in the list. Let’s use slicing to find it:
By continuously slicing higher indicies, we can track down exactly where
Now that it’s at the top of the list, we know it’s at 405