Try Heart Me
π Love at First Breach 2026 - TryHeartMe
| Category | Author |
|---|---|
| π Web | TryHackMe |
Challenge Prompt
My Dearest Hacker,
The TryHeartMe shop is open for business. Can you find a way to purchase the hidden βValenflagβ item?
You can access the web app here: http://MACHINE_IP:5000
Problem Type
- JSON Web Token (JWT)
Solve
When we visit the website, we are presented with the TryHeartMe Valentines Shop. Four items are displayed, but none of them the ValenFlag item we want.
When we try to make a purchase it tells us we must sign up first, so letβs start with that.
Click the Sign Up button and put in an email and password. I used a@a.com and password.
We start off with 0 credits, so letβs jump into Burpsuite to see if we can modify our credits.
If we turn on FoxyProxy in Firefox and intercept a reload of the page, we can see our cookie is a tryheartme_jwt. JWT is a JSON Web Token.
Our Base64 encoded token is:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImFAYS5jb20iLCJyb2xlIjoidXNlciIsImNyZWRpdHMiOjAsImlhdCI6MTc3MTEyMTI3NCwidGhlbWUiOiJ2YWxlbnRpbmUifQ.3Vo7afsoEFai85jrVsUyURwkL95NNVtzal2ROXhu140
If we take that into jwt.io we can use the decoder to see what is hidden in the token. We see that our role is user and our credits are 0:
Letβs use the encoder function to make us an admin and set our credits to 9999:
Then we can use the copy button to copy our token and go back to our page. If we press F12 on the keyboard to jump into Developer mode, we can then go to Storage (1), Expand Cookies (2) , and then paste our new JWT into the Value box (3).
Then we reload the page and now we have the ValenFlag available for 777 credits and lucky us, we have 9999.
If we click on the ValenFlag and click Buy, we are presented with the flag on the next screen!