Official Secret Discussion

That code you’re looking at will make it clear what type of token is being generated. Read more about how those work, and I think you’ll have an aha! moment.

What a fun box. One of my favourite!

The path to the user flag requires exploiting a vulnerability that could very well happen in a real website, and also some real-world skills. Everything you need is in front of your eyes. You can also literally start the service on your local machine and manually debug the code (I actually did that, I recommend it)

The path to the root flag is a bit harder but doable. And again, it requires learning about the tools you are using and thinking about how to bend them.

I do think it is easy (it took me only 4 hours, which is below what other easy machines take me), but it definitely requires some “real-world skills.”

Nice work @z9fr!

PM me if you need help.

Hi there, could someone give me a hint about the foothold? I created a token for a new user and I’ve been examining the download. I don’t have a ton of experience with this topic so I’m not exactly sure what I should look for.

Rooted. Fun box. DM me if you need nudges.

“name” is required

1 Like

Hi! Can anyone give me a nudge on the user ? I have tried to apply none" and to guess secret using John, but both of them failed. Am I going in the wrong direction?

Rooted.
Root part was fun.
DM me if you need nudges.

Obtained user, but the system is not accepting user’s flag :frowning: Did anyone have the same problem?

yes, had the same issue, i was connected to release arena VPN. I disconnected and tried again with normal VPN and got a new key which works. Hope this helps.

1 Like

I need a little help. I’m pretty sure I understand what we need to do. If I’m correct we need to get a J** with the user t******n in the payload. What I’m confused on is if we need to get a key to sign a valid token or if we need to login as the the user to get the token. I’m sure its right in front of me I just can’t seem to see it. What I thought was the obvious part from the download file for signing doesn’t seem to work.

Don’t look too far away in what you downloaded. It’s right in front of you but might be hidden. Hope that helps.

2 Likes

stuck at the root part, any hints?

same any one give me an hint

Should we even use the secret provided by the hidden place? It only generates invalid t****s

it works properly

Just use the bare hex

It seems as if somebody has messed up some critical file on the machine and we’re also done with the resets of the day :slight_smile: Got the clue but have to wait till tomorrow :slight_smile:

Hi, I’m working on root right now, and after looking around, I think I need some credentials I don’t have. I think can be found but will take a while (at least on my laptop). Are some kind of brute-forcing required prior the root process? Or I’m wrong in my assumptions? Thanks.

I was trying to revert a commit with git (‘get revert…’), but it’s giving me an error. First, it says it needs to know who I am, so I do that, but then it still gives me the same “commit your changes or stash them to proceed”, “revert failed”. Anyone know how to resolve that?