CobraKai Dojo (Medium)
You can access this CTF via the repo below. Setup is fairly straightforward. Enjoy!
Flag 1
Enumeration
We discover that a web application is running on port 80.
After loading the homepage, there are a few things that we can immediately note for investigation later on.
The custom JavaScript file /js/app.js
The API endpoint /api/schedule
Before looking into these, we continue to test the application functionality. So we:
Create a user account
Login
Following these steps, we come to a dashboard that says "Senseis can access the administrative interface".
After reviewing the registration request, we see that an extra parameter is passed quietly.
Let's update this to "sensei" instead of "student".
It worked, we can now access the administrative functionality of the site.
Alternative path - Cracking JWT
<writeup coming soon>
Getting a shell
<writeup coming soon>
Last updated