Welcome to ambakus
If you are wondering what this is all about check out my previous post on this CTF challenge.
Ambakkus is a new addition to the already saturated online alcohol market. This one has an exclusive vintage only available to premium customers, and we are certain Adminmann is one of them.
Recon
The recon steps are basically the same for all of these challenges so check out ambakari for the recon. Only new thing here is we get this expired token that the administrator had.
Spoiler Alert!
I’ve made following collapsible so you don’t see anything accidentally. If you plan to do the challenge, look away now and come back when you’re done. Or, if you get stuck, you can always take a peek… I won’t tell! 🙊
🔓 My Solutions 🔓
Welcome to ambakus were we have same login set up as before this time the premium wine is only available for premium customers. You guessed it! Adminmann. So we try the same thing as before but no success. We do get a small hint this time though we do get a admin token, but it is expired so when we try to use it instead of the token we get then we get token expired error.
So we need to make it not expired anymore, maybe we can do the same trick as before (lol ye sure).
So we can try adding following between the </KeyInfo> and </Signature> like before
<Conditions NotBefore="2025-09-10T15:10:00.000000" NotOnOrAfter="2029-09-10T15:35:00.000000"><Audience>ambakkus.is</Audience></Conditions>We get a 500 error so new plan. Surely there would be two CTF in a row based on Wrapping (SW) vulnerability?
Well… Though we can’t use <Conditions> directly in the <Signature> tag we can use <Object></Object> and we just need it be read first as they are not checkigng for this vulnerability. So we can put the <Conditions> in the <Object> and try sending that right?
Another 500 error….
So here is the final thing that I just learned… The object will inherit the xmlsn="http://www.w3.org/2000/09/xmldsig#" from the Signature tag which causes a fuss BUT if you set xmlns="" you have set it as blank which is fine. So we just add that to our changes and send that in.
...
<Object xmlns=""><Conditions NotBefore="2025-09-10T15:10:00.000000" NotOnOrAfter="2029-09-10T15:35:00.000000"><Audience>ambakkus.is</Audience></Conditions></Object>
...We did it, we are in! 🍾 ⛳️ ✅
Just look at the flag bottle and our flag that we can use to mark the challenge as completed. If you want to see it yourself you will just have to do the challenge 😉