SecurityBoat posted the following CTF challenge on their Twitter account.
The challenge was to get to the admin dashboard and retrieve the flag. Initial credentials were provided on the login screen.
Upon logging in, we see two cookies being returned from the server: auth
and pubkey
.
The auth
cookie is clearly a JWT token, so we can use a tool like jwt.io to inspect its contents.
Notably, the token uses RS256 (asymmetric) encryption and specifies a role
field within its payload.
Upon logging in, we are redirected to http://ctf.securityboat.in:4000/jwt/user/home.php
.
With all that said, our likely attack methodology is the following:
- Replace the
user
value withadmin
within therole
field of the token, - Find a way to sign the token
- Using the token, navigate to
http://ctf.securityboat.in:4000/jwt/admin/home.php
Since we know the public key used in the RS256 encryption, we can attempt an algorithm confusion attack. This type of attack takes advantage of inexact token handling on the backend, by replacing the alg
field in the token header with HS256
and using the exposed public key as an HMAC key. We can use jwt.io for modifying the necessary fields (role
and alg
) and sign the token with JWT_Tool.
The command to do so looks like the following:
python3 jwt_tool.py INSERT_MODIFIED_TOKEN_HERE -S hs256 -k public_key.pem
..where public_key.pem
is the file that contains the RSA public key returned from the server during initial login (make sure to URL-decode the key before saving).
After JWT_Tool returns the tampered token, we can use Chrome to modify the cookies within the current session:
After navigating to http://ctf.securityboat.in:4000/jwt/admin/user.php
, we get the flag.
Top comments (0)