JWT (not) revoked token

RootMe challege: JWT - Revoked token:

Two endpoints are available :

POST : /web-serveur/ch63/login
GET : /web-serveur/ch63/admin

Gain access to the admin endpoint.


Developer blacklists full JWT or hash of the JWT, instead of revoking the JTI (JWT id).

RootMe JWT jti

Change request method to POST:

RootMe JWT jti

Get token for admin:admin:

RootMe JWT jti

Use the token to get the flag (add an = at the end of it).

Resources