Skip to content

Elf Hunt⚓︎

Difficulty:
Direct link: https://elfhunt.org/

Objective⚓︎

Request

Piney Sappington needs a lesson in JSON web tokens. Hack Elf Hunt and score 75 points.

Piney Sappington

Hey there, friend! Piney Sappington here.
You look like someone who's good with puzzles and games.
I could really use your help with this Elf Hunt game I'm stuck on.
I think it has something to do with manipulating JWTs, but I'm a bit lost.
If you help me out, I might share some juicy secrets I've discovered.
Let's just say things around here haven't been exactly... normal.
So, what do ya say? Are you in?
Oh, brilliant! I just know we'll crack this game together.
I can't wait to see what we uncover, and remember, mum's the word!
Thanks a bunch! Keep your eyes open and your ears to the ground.

Hints⚓︎

JWT Secrets Revealed

From: Piney Sappington

Unlock the mysteries of JWTs with insights from PortSwigger's JWT Guide.

Solution⚓︎

In this exciting action shooter game, we are tasked to throw snowballs at cute little elfs fluttering on our screen. We must hit 75 of them. Would Santa approve?

The elfs are really fast and even change course mid-screen. The best tactic is to keep our sights aimed steady at the top of the screen, move only horizontally and wait for a careless elf to fly right into the cross hairs.

The second best tactic is to modify the game behavior. Please bear with us:

While the game is running, we note that a cookie for domain elfhunt.org is set:

Name Value
ElfHunt_JWT eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzcGVlZCI6LTUwMH0.

The form looks like a JWT without signature. The first part "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0" base64-decodes to 

  {"alg":"none","typ":"JWT"}

the second part "eyJzcGVlZCI6LTUwMH0" to 

   {"speed":-500}"

Hm. Speed is the problem in this game. Would changing the cookie value influence the game speed?

In the javascript console, we enter:

   document.cookie='ElfHunt_JWT=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.'+btoa('{"speed":-100}')+'.'

The JWT header remains untouched, but we set the payload to another speed value. "btoa" does base64 encoding.

This new speed applies when we reload the frame in which the game runs.

Now the elfs move much more placidly, and hitting them is easy.

We win...

... click the "game token" and receive "The Captain's Journal".

Why did this work?

One factor is that the JWT were unsigned, and so us modifying it went unnoticed.

Images⚓︎

jpournal

Answer

Hitting 75 elfs gains us "The Captain's Journal"

Response⚓︎

Piney Sappington

Well done! You've brilliantly won Elf Hunt! I couldn't be more thrilled. Keep up the fine work, my friend!
What have you found there? The Captain's Journal? Yeah, he comes around a lot. You can find his comms office over at Brass Buoy Port on Steampunk Island.