Statement:
It is super easy, go to this [site](link) and get the flag quickly.
Following the link led to a webpage where there was a login button, and which showed Login and get the flag. Logging in, there was a count down going on for 10 seconds and after the countdown was over, showed You are too late.
Exploring the server, I found a script and cookie:
Script:
var count = 10;
var element = document.getElementById("counter");
// Function to update the counter
async function updateCounter() {
while (count > 0) {
count--;
element.innerHTML = count;
await new Promise(resolve => setTimeout(resolve, 1000));
}
// Do something after the counter ends
fetchFlag();
}
function fetchFlag() {
var requestOptions = {
method: 'GET',
redirect: 'follow'
};
fetch("/get-flag", requestOptions)
.then(response => response.text())
.then(result => {
let data = JSON.parse(result);
element.innerHTML = data.flag;
element.style.border = "0px solid #000000"
element.style.width = "100%"
})
.catch(error => console.log('error', error));
}
// Start the counter
updateCounter();
Cookie:
Session:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NzUwMTg5NjYsImV4cCI6MTY3NTAxODk2N30.WIukzTYPrrbyJZ0ORFX4v4-HdWLXV-lnADHbtW96Eyc
which is a JWT token which evaluates to:
{
"iat": 1675018966,
"exp": 1675018967
}
The cookie showed that after login, the login expired with in a second. But the script waited for 10 seconds before fetching the flag.
I used the browser console to store the script to fetch the flag, and as soon as logged in, called the function which fetched the flag before the exipration of login. This process could also be replicated using burpsuite, however I preferred the console method.