The Devil Never Sleeps

If you put the devil to sleep, you will get the flag successfully. Unfortunately, the devil never sleeps. But what if you use some sleeping pills?

http://194.5.207.57:8080

访问题目链接

To get sleeping pills, navigate to /sleepingpill. To get the flag, navigate to /flag.

访问/sleepingpill得到JWT和Public Key,保存至pub.key

访问/flag

{
   "msg": "Missing Pill Header"
}

加上Pill试试,可以看到是一个标准的JWT格式

{
    "msg": "Missing 'Bearer' type in 'Pill' header. Expected 'Pill: Bearer <JWT>'"
}

在jwt.io上解析一下JWT

使用RsaCtfTool生成私钥,保存至private.pem

python RsaCtfTool.py --publickey ./key.pub --private

修改payload中的sleep为true和exp为9999999999,生成JWT Token并请求/flag

代码:

import jwt

with open('private.pem','r') as f:
    secret = f.read()
print(secret)

dic = {
    "fresh": False,
    "iat": 1631241476,
    "jti": "4b30d7a8-256f-405e-9640-4278728a8602",
    "type": "access",
    "sub": "devil",
    "nbf": 1631241476,
    "exp": 9999999999,
    "sleep": "true",
    "danger": "true"
}
headers = {
    "typ": "JWT",
    "alg": "RS256"
}
token = jwt.encode(dic, secret, headers=headers, algorithm='RS256')
print(token)

flag:TMUCTF{0h_51nn3rm4n_Wh3r3_Y0u_60nn4_Run_70?}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The_Devil_Never_Sleeps.md

The_Devil_Never_Sleeps.md

The Devil Never Sleeps

Files

The_Devil_Never_Sleeps.md

Latest commit

History

The_Devil_Never_Sleeps.md

File metadata and controls

The Devil Never Sleeps