h1-702 is a CTF organized by hackerone and had 5 tasks on “android” and 1 task at “web” category.
Since there was just 1 task on web I thought to give it a try and make the challenge. The challenge had multiple steps:
- First I had to discover an application through brute force on filenames.
- Second, I had to bypass the authentication by hacking JSON Web Tokens (JWT).
- And the last step involved a Side-Channel Attack using the sort function for some timestamps. The timestamps were sorted by their noteid. Using this leak I was able to obtain the noteid of the flag and then retrieve the flag. For each letter from the secret noteid I used binary search on charset [0-1A-Za-z].
Whole writeup can be found at: