This challenge isnt supposed to be easy LOL
The amount of time i invested into figuring this out is disgusting...
So basically there is a jwt age check... you can generate tokens with an endpoint. If your token is 18+ years old you can access the flag..
The whole trick was to set different accept langs in the header with different time/date formatting... en-US has a month first pattern: M/d/yy and japanese or ja: y/MM/dd which tricks the check into thinking the "token" or your age is like 2k+ years old lol
Such a simple exploit but was incredibly hard to figure out! beautiful challenge.
The amount of time i invested into figuring this out is disgusting...
So basically there is a jwt age check... you can generate tokens with an endpoint. If your token is 18+ years old you can access the flag..
The whole trick was to set different accept langs in the header with different time/date formatting... en-US has a month first pattern: M/d/yy and japanese or ja: y/MM/dd which tricks the check into thinking the "token" or your age is like 2k+ years old lol
Such a simple exploit but was incredibly hard to figure out! beautiful challenge.
