Hey there, friend! Piney Sappington here.
You look like someone who's good with puzzles and games.
I could really use your help with this Elf Hunt game I'm stuck on.
I think it has something to do with manipulating JWTs, but I'm a bit lost.
If you help me out, I might share some juicy secrets I've discovered.
Let's just say things around here haven't been exactly... normal.
So, what do ya say? Are you in?
Oh, brilliant! I just know we'll crack this game together.
I can't wait to see what we uncover, and remember, mum's the word!
Thanks a bunch! Keep your eyes open and your ears to the ground.
Piney Sappington gives us following hint as well:
Unlock the mysteries of JWTs with insights from PortSwigger's JWT Guide.
We start the game and have to throw snowballs at the poor elves. But they are damn fast and a click on the help field reveals that there must be a way to slow them down.
Let's also take a look at https://portswigger.net/web-security/jwt.
So let's analyse the JWT token.
We simply translate the token via https://jwt.io/ or even more simply via https://www.base64decode.org/:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzcGVlZCI6LTUwMH0.
HEADER:ALGORITHM & TOKEN TYPE
{
"alg": "none",
"typ": "JWT"
}
PAYLOAD:DATA
{
"speed": -500
}
Since no signature is required, we can change the content as we wish, see also https://portswigger.net/web-security/jwt#accepting-tokens-with-no-signature.
We change the content as follows and enter this again in the browser:
{"speed":-50 }
eyJzcGVlZCI6LTUwIH0=
TOTAL:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzcGVlZCI6LTUwIH0.
The elves are now so slow that catching 75 of them is no longer a problem.
We even get a glimpse of a diary in the game:
Piney Sappington tells us now about the diary
Well done! You've brilliantly won Elf Hunt! I couldn't be more thrilled. Keep up the fine work, my friend!
What have you found there? The Captain's Journal? Yeah, he comes around a lot. You can find his comms office over at Brass Buoy Port on Steampunk Island.