WinjaCTF2021: Find The Secret Person (550)

This is from the WinjaCTF2021.

For this challenge, we are given the following hint:

Going to the link give this page:

Looking at the source of the page, I see the images are named in sequential numbers:

Based on the hint “you are suppose to find the old person out them” on the page, I assume the image names (numbers) correspond to the order they were created. I look to see if there is a 0000.jpg file and there is!

I paste the name “Marie Collinsworth” into the text box and hit the enter key and get the flag as a response:

FLAG{Find_the_Secret_Agent_Y0u_F0uNd_Th3_R1gHt_P3rs0N}

WinjaCTF2021: JUSTWINTHIS (300)

This is from the WinjaCTF2021.

For this challenge, we are given he following hint:

Going to the link provided, we get this simple page:

After a bit of poking, I register an account:

When I log in with my new credentials, I am given this message:

Remembering a cipher I once saw that uses emojis, I try and decipher it using emojicipher.com

I see it decodes to “ar3_t0kens_$$$}”, which looks a lot like the tail end of a flag!

After some more poking, I see there is a cookie set by this site.

I decode the cookie value (base64) and see it is a JASON Web Token. Knowing how they are formatted, I break up the encoded cookie value and just decode the header to get this:

{"typ":"JWT","alg":"HS256"}{"iss":"http:\/\/ctf.winja.site","aud":"http:\/\/ctf.winja.site","role":"user","iat":1615014948,"exp":1615016748}

Seeing the “role” element with a value of “user”, I try changing the value to “admin” and then re-encoding the header and adding the preserved tail end of the original cookie value:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9jdGYud2luamEuc2l0ZSIsImF1ZCI6Imh0dHA6XC9cL2N0Zi53aW5qYS5zaXRlIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjE1MDE0OTQ4LCJleHAiOjE2MTUwMTY3NDh9.Zsn6FXTUcHnRQ98d6PuYsJpLBuv7_FLOzx_8y8lu13c

I paste that cookie value into my browser and refresh the page to get this new message:

I just got the first half of the flag.

Combining the two I get the full flag value:

flag{justwinthis_all_i_w4nt_ar3_t0kens_$$$}