WayWitch
Hidden in the shadows, a coven of witches communicates through arcane tokens, their messages cloaked in layers of dark enchantments....
Looking at the code
The code is uses NodeJs
framework which has this kind of file system:
util.js
Contains utility functions shared across the application.
Example tasks:
File system operations.
Generating or validating tokens.
Parsing data or configurations
Src/
Src/
The folder that contains the core logic and handling of the web server
Database.js
Implements the database connection and sets up the tables according to the defined schema
We can see there's some kind of ticketing system going on which maybe used to authenticate the users. We also see that these tickets are made of id
, name
, username
, content
:
Also the description said to craft the ticket
Index.js
The application’s main entry point.
Sets up:
Express server.
Middleware (e.g., for serving static files or handling requests).
Routes (from
routes/index.js
).
Also there's
package.json
file that defines what scripts to run
Routes/
Contains route definitions (
index.js
).Responsible for:
Handling HTTP requests.
Sending responses (e.g., rendering views or returning JSON data).
The router is defined with casesensitive:true
meaning they require exact word for the route. Now looking at the routes itself:
1. GET /tickets
Purpose: Fetches all tickets, restricted to admin users.
Workflow:
Checks for Session Token:
Retrieves the
session_token
from cookies.If missing, returns a
401 Unauthorized
status.
Validates the Token:
Decodes the
session_token
usinggetUsernameFromToken
.If invalid, returns a
400 Bad Request
with the error message.
Checks Admin Privileges:
If the username is not
"admin"
, returns403 Forbidden
.
Fetches Tickets:
Calls
db.get_tickets()
to retrieve all tickets.If successful, returns a
200 OK
with the tickets as a JSON object.On failure, returns
500 Internal Server Error
.
2. POST /submit-ticket
Purpose: Allows authenticated users to submit a new ticket.
Workflow:
Checks for Session Token:
Retrieves
session_token
from cookies.If missing, returns
401 Unauthorized
.
Validates the Token:
Decodes the
session_token
usinggetUsernameFromToken
.If invalid, returns
400 Bad Request
with the error message.
Validates Request Body:
Extracts
name
anddescription
from the request body.If either is missing, returns
400 Bad Request
.
Adds a Ticket:
Calls
db.add_ticket(name, username, description)
to insert the ticket into the database.If successful, returns
200 OK
with a success message.On failure, returns
500 Internal Server Error
.
Browsing the application
So we looked at the code , now we know how app works , let's test the theory:
So we control the name and description from client side and also:
So we craft a token to get the flag from the admin description as seen above in the code. We need the jwt secret for that -> which is in the utils.js
file.
Then we craft the token:
and get the cookie:
Last updated