# LKS SMK TELKOM MAKASSAR 2025 CYBER SECURITY: THE FINAL COMPETITION WRITE-UPS
Welcome to my LKS SMK TELKOM MAKASSAR 2025 CYBER SECURITY: THE FINAL COMPETITION write-ups. This is the last inner CTF event that was organized by my school in order to qualificate to the LKSN 2025. The categories on this CTF are mainly web exploitation with some cryptography and miscellanous challenges.
## Table of Contents
1. Web Exploitation
a. Extremely Difficult Challenge
b. Internal Proxy Service..
c. Token
## 1. Web Exploitation
### a. Extremely Difficult Challenge
This was a sanity challenge. It said that we need to find the "hidden" flag around the website. Well, if you pay close attention to the description details, there was a word that ended with a curly bracket. Suspicious?
Well, it turned out to be correct, that was the flag. Remember, this was a sanity challenge, so don't overthink.
Flag:
LKS{very_hidden_and_hard_to_find}
### b. Internal Proxy Service..
Given a web exploitation challenge about an *endpoint*. It said that this challenge website only got one main *endpoint* which was "/fetch?url=". It was also mentioned that you just only have to enter the correct *url* and then the website service will goes out and grabs the provided content for you.
By clicking the given website, I ran it in BurpSuite Chromium browser and turned the intercept on to analyze the traffic more conveniently.
There was a hint that said like this:
```
Hint: Our UniProxy service fetches external data via /fetch?url=... Check the service's own internal status endpoint for the operational flag.
```
Noting the word *endpoint*, I did a little research about *HTTP Request Methods* on Google in order to see the allowed request methods on this website first before digging more deeper.
Regarding to *https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/HTTP-methods*, these are some *HTTP Request Methods* that often used in building a website with *RESTful API*.
With that kept in mind, I went to BurpSuite and did a little modification on the upcoming traffic that I sent to the Repeater.
I typed the "OPTIONS" request, and as you can see on the response section, there was a line that said:
```
Allow: OPTIONS, GET, HEAD
```
What did it meant? It meant that the only allowed requests were OPTIONS, GET, and HEAD. Any other requests than that were not allowed and only resulting in an error.
I've tried every possible *endpoint*, but luck was not on my side. In the verge of moving on to another challenge, I did one last research, it's either go big or go home.
Here's the thing, I literally just typed "status endpoint" on Google and ended up found this thing. Guess it was luck, after all.
I typed that "status" *endpoint* on BurpSuite with an *HTTP Requests* of "GET", and finally got the flag.
Flag:
LKS{kerenbangetgktaujgainiflagnyaapalagiPUSING}
### c. Token
Given a vulnerable websites that used *Javascript*. It was also said in the hint that the content type must be *JSON.*
Without wasting many more seconds, I clicked both of the websites using BurpSuite Chromium browser and analyzed its traffics.
Using the provided credentials above, I did a little modifying with the traffic using BurpSuite repeater so that it sent the correct credentials in order to get the token.
I obtained the token using the provided credentials.
After obtaining the token, I modified the traffic a little bit again so that it authorizes the token. But instead of obtaining the flag, I got this response instead (no picture provided, forgot to screenshot):
```
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 132
ETag: W/"84-FPvHMdga5PUydscIA+zJ13/zc9Q"
Date: Tue, 29 Apr 2025 06:56:07 GMT
Connection: keep-alive
Keep-Alive: timeout=5
{"message":"Your token is valid, but that's not the point of this challenge! Try exploiting the algorithm confusion vulnerability."}
```
Algorithm confusion? What's that? I asked *ChatGPT* to help me understand further about what *Algorithm Confusion* means in *JWT*.
That *"username": "admin"* caught my attention. And so, I entered it on my modified traffic to see if it works or no. Turns out, it was, and I got half of the flag as shown below.
Part 1 done, time to move on to Part 2.
For this Part 2, you just have to do all the methods you did on Part 1 earlier in order to get the remaining flag.
After doing the same methods I used for the first part, I got the remaining flag and merged it together so that it formed the final flag.
All credits to *ChatGPT* for this challenge. I tried searching every websites that might help me, but turns I got nothing helpful. Thankfully, *ChatGPT* delivered the explanations I wanted, completely and precisely.
Flag:
LKS{jwt_c4n_b3_tr1cky_b3w4r3_0f_w34k_s3cr3ts!}
#
Looks like this is the end of a journey for me in this school LKS competition. No matter the outcome, whether I passed or no, I learned a lot from this. Still needs more improvement in order to get better for the next time. And I want to express my congratulate to whoever passed in this school LKS competition and able to represent our school pridely for the upcoming LKSN.
And I would like to express my truly heartfelt gratitude for those who have rooted and cheered me for this competition, even if I still can't give you the outcome that you wanted from me.
Regards,
Cpt. Moriarty (Ibrahim Fawwaz), LKS SMK TELKOM MAKASSAR 2025, Makassar, Indonesia.
Sign in with Wallet
Connect another wallet