# CTF CyberTalents — Admin Gate First

#### CTF CyberTalents — Admin Gate First <a href="#id-7fdb" id="id-7fdb"></a>

Welcome to the write-up of how to capture the flag of the challenge “Admin Gate First” from [CyberTalents](https://cybertalents.com/challenges/web/admin-gate-first)

<figure><img src="https://cdn-images-1.medium.com/max/800/1*N64TDQ8AaCNcsUnO2uzNCg.png" alt=""><figcaption></figcaption></figure>

***Challenge info.***

<figure><img src="https://cdn-images-1.medium.com/max/800/1*S26jBHJirG223abeM4rHbA.png" alt=""><figcaption></figcaption></figure>

> **Challenge description:** Flag is safe in the admin account info

From the description of the challenge you’ll notice that the flag is in something related to the account info like cookies for example

*Lets start the challenge*

When you entered to the challenge you’ll get login page with test user account credentials, check the source code but you’ll not find anything interested!

So let’s get logging into and see the source again

<figure><img src="https://cdn-images-1.medium.com/max/800/1*ClFhgnrvqIevz_K3M5BLcw.png" alt=""><figcaption></figcaption></figure>

Check the source code

<figure><img src="https://cdn-images-1.medium.com/max/800/1*u5jFI4J3mTi6TEMY4nT8mQ.png" alt=""><figcaption></figcaption></figure>

Note that there’s check of the authorization header so let’s relaod the page and check the request headers

<figure><img src="https://cdn-images-1.medium.com/max/800/1*LoIUHThiVl114CJBk8r4LA.png" alt=""><figcaption></figcaption></figure>

You should note that there’s [JWT](https://jwt.io/introduction/) (JSON Web Token) which check the user role, so now we’ll note talk about it more but you should know that it consist of 3 parts *Header, Payload and Signature* and all of this parts are base64 encoded so the website [jwt.io](https://jwt.io/) deals with this format and get it decrypted, so let’s go there and paste our jwt format in its place

<figure><img src="https://cdn-images-1.medium.com/max/800/1*O84HSM5cCORnWnYBORWZ_g.png" alt=""><figcaption></figcaption></figure>

> Before we continuing you should know about the 3 parts of the JWT so if you don’t know about the content of them read this first and continue <https://jwt.io/introduction/>

If you notice in the 3rd part Signature there’s our secret key can be edited, if you don’t know how dangerous of it or how this key is used for see this screenshot

<figure><img src="https://cdn-images-1.medium.com/max/800/1*lfj2zRfwWyrvN8h1yMd_RQ.png" alt=""><figcaption><p>Importance of secret_key</p></figcaption></figure>

So in this case we’ll try to predict the value of this key. You can use a lot of tools which make the same thing but I prefer [JWT-Cracker](https://lmammino.github.io/jwt-cracker/) tool to do this mission

> Download it from here <https://github.com/lmammino/jwt-cracker>

***How to use it ?***

```
jwt-cracker <token> [<alphabet>] [<maxLength>]
```

> **token**: the full HS256 JWT token string to crack

> **alphabet**: the alphabet to use for the brute force (default: “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789”)

> **maxLength**: the max length of the string generated during the brute force (default: 12)

<figure><img src="https://cdn-images-1.medium.com/max/800/1*WuyGcDNZevUI6H48pHMlag.png" alt=""><figcaption></figcaption></figure>

Note! our value is 123456

Go to jwt.io and put it into it’s place and change the username and the password to admin and copy the new JWT and replace it into the authorization header in the request

> To know more about Bearer authentication <https://swagger.io/docs/specification/authentication/bearer-authentication/>

See What will happen !

Bingoooo! We’ve the FLAG :”)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eslam3kl.gitbook.io/blog/ctf-challenges/ctf-cybertalents-admin-gate-first.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.