Room Link: TryHeartMe
upon visiting the website we can see that there are 4 products and we can notice here that there is login and signup options as well,
so let’s sign up.
after signing up we will click on some product.
here our role says user so we can assume that to buy the hidden product we have to change our role to someone else.
let’s intercept this with burpsuite and check what request it is sending to the website.
here we can see there is a JWT token i.e Json Web Token so were definitely correct about the role changing guess.
even on the home page we can see there is JWT so let’s see what it decode to.
so here in cyberchef we can see this JWT says our role is user so we have to change it to admin.
but the JWT tokens are signed by a secret key, so let’s see what is the secret key here.
here we didn’t have to do much as there was hint in the theme that the secret key could be valentine and yes it was.
here you can see we can see the ValenFlag product which is only accessible by staff.
while clicking on the product it will show you error as you token will reset again so just intercept every click and change the token and you can proceed further easily.
here you can see our role is changed to admin.
and click on Buy and repeat the same procedure and you will find the flag.