# TryHackMe TryHeartMe—Writeup
Welcome back to another part of the Valentine's special CTF series of TryHackMe, TryHeartMe. No drama, let's start.
Let's visit the website as always since this is a web category challenge:
Oh, a Valentine's shop, let's register and try to buy something for nothing.
After completing the registration process, we were redirected back to the main dashboard, now authenticated with a valid account.
As you can see, our credits is 0, so we can't buy anything.
As I inspect the page, I noticed this **JWT** token that looks interesting:
Next thing I did is to decode it using my own decoder for **JWT** (Will release the source code of this in the future hehe).
Upon inspecting the authentication mechanism, it was observed that the application stored sensitive fields, specifically the user **role** and **credit balance,** directly inside the JSON Web Token (JWT).
This design choice indicates that the application relies on the token’s payload to determine both authorization level and available credits. In other words, access control and balance-related decisions are derived entirely from data supplied by the client through the JWT.
Since JWTs are issued to the client and included with every request, this places a significant amount of trust on client-controlled data rather than enforcing these checks server-side.
JWTs are readable by default. If the application does not properly validate the token’s signature or allows weak configurations, an attacker may alter the payload to escalate their role or inflate their credit balance.
What we can do is to change the role to **admin** and credits to **9999999999**:
With the forged token prepared, we injected it into the browser’s cookie storage and refreshed the page to apply the changes.
Observe the updated credit balance, and an additional item now visible. This item appears to be restricted to administrative accounts. Since the role was forged to `admin`, the account gained access to content that would otherwise be unavailable.
So it's the flag I guess, since we have unlimited credits, we can buy it!
After purchasing the Valenflag, we've got the flag!
This challenge ends not with complexity, but with misplaced trust. The application handed its most critical decisions, identity, authority, and value to a token never meant to carry that weight. By relying on JWTs as a source of truth rather than a proof of identity, the system quietly surrendered control to the client. No brute force. No exploit chain. Just a broken assumption. JWTs are powerful when treated correctly. When they aren’t, they don’t fail loudly, they fail silently, leaking privilege and trust one field at a time. And in the end, the flag wasn’t earned by breaking encryption, but by exposing a system that trusted too much… and verified too little.
.png?alt=media&token=a40a18a2-31ff-4cb2-8337-cbd44689b113)
.png?alt=media&token=746c743b-4574-4f46-8661-e7b029f112b0)
.png?alt=media&token=5a33b94c-b632-46d0-8f95-56f70e6bc339)
.png?alt=media&token=96ec3ace-f295-45e3-ab1b-e0517ba85b22)
.png?alt=media&token=f718f7af-e609-40c5-86a9-38bd0f0aa183)
.png?alt=media&token=f198f3f3-8868-4f1d-927b-9e98332072b7)
.png?alt=media&token=ed201793-f91b-4dda-a0ae-1236e2a19370)
.png?alt=media&token=27c4e58f-d568-4d79-8cad-27882b9e8c46)
.png?alt=media&token=6d9f8be3-21f0-40c7-b9f5-86cbb3181c78)