web

PHP Intersity

Punkty: 150
Rozwiązań: 32

I work for a train operator company. Yesterday we've got an anonymous email which stated that there are some security problems with our tickets.

The attacker said that he forged a ticket by exploiting crypto. It's not my domain and I could not understand what's wrong.

I've bought a train ticket from Moscov to Novosibirsk. I've also made a debug endpoint where you can paste the ticket content (base64-encoded QR code contents) in order to check validity. There are also some debug prints there.

Is it possible to somehow forge a ticket with another departure date?

Format flagi: ecsc{litery_cyfry_i_znaki_specjalne}.

Aby wysłać flagę, musisz się zalogować.