📋 Challenge Description
You've intercepted a JSON Web Token (JWT) from a web application. The token contains encoded user information and is signed with a secret key. Your task is to decode the JWT , understand its structure, and find the hidden flag in the payload.
Objective: Decode the JWT and extract the flag from the payload.
🎫 Intercepted JWT Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW5pc3RyYXRvciIsImZsYWciOiJDVEZ7and0X2QzYzBkMW5nX200c3Qzcn0iLCJpYXQiOjE3MDk1NTYwMDAsImV4cCI6MTcwOTY0MjQwMH0.xvZ8qYpL3K9mN2jH5fT7wR4sA6bC8dE1gF3hI9jK0lM
🔓 JWT Decoder
Payload
Click "Decode JWT" to see...
Signature
Click "Decode JWT" to see...
Decode JWT
Output will appear here...
📖 JWT Structure Information:
JWT Format: header.payload.signature
Encoding: Each part is Base64URL encoded
Header: Contains algorithm and token type
Payload: Contains claims (user data, expiration, custom data)
Signature: HMAC signature to verify token integrity
💡 Decoding Hints:
1. Base64 Decode: JWT uses Base64URL encoding. Decode each part separately.
2. Three Parts: Split the token by "." to get header, payload, and signature.
3. JSON Parse: After Base64 decoding, parse the JSON to see the data.
4. Flag Location: The flag is hidden in the payload as a custom claim.
5. Easy Method: Click "Decode JWT" button or use jwt.io online tool.
6. Ask a Chatbot: "Help me decode this JWT token" and paste the token.
Flag Format: CTF{...}