NOTEDescription : A previous Root Me administrator is trying to replicate the website after being banned for sharing challenge solutions. Try to find out if he is hiding any other flags on his new website.
Web-View
I’m having difficulty deciphering the location of Buttons on this website.
Upon inspecting the page’s source code, I discovered certain endpoints that seem intriguing.
/admin
static/challs/htmllecture.html
static/challs/irc.html
static/challs/obfu6.html
static/https://www.youtube.com/watch?v=ZYrmrflWBmY
static/challs/samboxv5.html
/admin
Upon accessing the ‘admin’ endpoint at http://challenge01.root-me.org:59081/admin
, I encountered an ‘Unauthorized’ error.
{"Unauthorized":"You are not admin !"}
burp
I attempted to intercept the request using Burp in order to uncover more information.
It appears that the situation involves JWT (JSON Web Tokens).
To gain a clearer understanding, I searched for information on jwt.io to access helpful visualizations and explanations.
JWT.IO
While encoding the JWT, I observed that it utilizes the HS256 (HMAC_SHA256) algorithm along with a “kid” (Key ID) parameter.
The “kid” (key ID) claim is a string that signifies the key responsible for digitally signing the JWT.
If you’re interested in delving deeper into attacks involving the “kid” parameter in JWTs, you can find more information here: kid-parameter
Afterwards, I proceeded to modify the JWT by signing it with a particular secret key and conducting attacks on the JWT “kid” header, such as SQL injection and OS injection. Eventually, I identified a path traversal vulnerability in the “kid” header. I attempted to alter the “kid” header to “/dev/null” and sign the JWT with an empty secret key.
However, a complication arose: there seems to be a replace function or a similar mechanism in place that eliminates our ”../” sequences.
Yet, we can overcome this by using the pattern ....//....//....//
to bypass the restriction and continue with our intended manipulation.
As a result of these efforts, we successfully obtained the flag!
have Fun 💜