h1-702 web task

h1-702 is a CTF organized by hackerone and had 5 tasks on “android” and 1 task at “web” category.

Since there was just 1 task on web I thought to give it a try and make the challenge. The challenge had multiple steps:

  • First I had to discover an application through brute force on filenames.
  • Second, I had to bypass the authentication by hacking JSON Web Tokens (JWT).
  • And the last step involved a Side-Channel Attack using the sort function for some timestamps. The timestamps were sorted by their noteid. Using this leak I was able to obtain the noteid of the flag and then retrieve the flag. For each letter from the secret noteid I used binary search on charset [0-1A-Za-z].

Whole writeup can be found at:
https://whit3hat.com/wp-content/uploads/2018/06/writeup_h1_702_icernica.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *