grades_grades_grades

Challenge Description

Challenge Attachment

4KB

grades_grades_grades.tar.gz

click on sign up to register a new user

taking a look at the source we find in the routes the flag route which is located at /grades_flag

but for some reason it says invalid token

let's decode the token and view the source code to find what is the token allowed to view the flag

let's decode it

if we take a look at the /grades_flag route we can see that it checks if the teacher role is true

and if we see how the token is generated after signing up we will see that a property called is_teacher is set to false by default if no value is given which makes the is_teacher_role() function returns false which makes the route /grades_flag didn't show because it requires that the user is a teacher not student

so what we have to do is add the propertie is_teacher ourselves when signing up and make it true so it's added to the token, first let's intercept the sign up request

now let's add the is_teacher=true

copy the token returned in the response, let's decode it to check if the property is added successfully

so let's use this token

refresh the page and boom we have got the flag

Flag

DUCTF{Y0u_Kn0W_M4Ss_A5s1GnM3Nt_c890ne89c3}