# LAB - JWT Token Manipulation

In this lab environment, you will have GUI access to a Debian machine. An application named **Playme** is available on the Android Emulator.

**Objective:** Manipulate the JWT token to impersonate an admin and retrieve the flag.

The regular user credentials for the **Playme** app are:

* **Username:** alice
* **Password:** Qwerty\@1234567

> **Note:** You can start the emulator using the script located on the Desktop. Additionally, check the **/root/Tools** directory for available tools.

***

<figure><img src="/files/ljgqjWRiYNYO1r1xblAQ" alt=""><figcaption></figcaption></figure>

After execute the app, we can see a login panel. Set credentials here -->

<figure><img src="/files/TcbDwotyqIgLcPpfunq6" alt=""><figcaption></figcaption></figure>

Now, with it, configurate local proxy and burpproxy -\_>

```
## View us IP 
hostname -I
## Set local proxy
adb shell settings put global http_proxy <host-ip>:8080
```

<figure><img src="/files/3uq9Xosvw35U5xcFRDDZ" alt=""><figcaption></figcaption></figure>

With it do, intercept the login peticion -->

<figure><img src="/files/KhnCxksbgTO0nSqfbaI7" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/CZisqZ7VSxN7mHo748Tl" alt=""><figcaption></figcaption></figure>

We can get a login token, and we can see three points so... copy and put in into jwio -\_>

<figure><img src="/files/mHgMy3zdz1bGnl0iw6u2" alt=""><figcaption></figcaption></figure>

Know it, we can decode of base64 the content "white selection" and manipulate it. For example, change the role to admin -->

<figure><img src="/files/NbwgJEoCQjDzzsmtg0O2" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/LjsktmlhlROvUpULCaav" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ohoN384SzfwtsBfn2S0G" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/d9ncIfOQ5FacpDsMiLL8" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/ine-emapt/android-dynamic-testing/labs-api/lab-jwt-token-manipulation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.