Simple JWT hacking

JWT (JSON Web Token)

While attending Nullcon International Security Conference 2019 at Goa, they conducted a Battle Underground CTF which was a jeopardy style CTF. I’ve come across one of the Web challenges JWT worth 300 points (btw it isn’t that hard :-p). I would like to share my way of completing the challenge.

https://nullcon.net/website/goa-2019/ctf.php
braindead.battleunderground.in

Motive :

We need to generate a JWT token having an admin role instead of having a user.

About JWT’s :

JSON Web Tokens used for creating access tokens that assert some number of claims. For example, a server could generate a token that has the claim “logged in as admin” and provide that to a client. The client could then use that token to prove that it is logged in as admin.

Tools :

Steps :

By intercepting the web request with Burp Suite, it gives an “X-Auth Token’s” value which is nothing but dot separated base64URL encoded values generally known as JWT token.

X-Auth Token : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4ifQ==.heBq_EtfVfbCTp9nxaWOi_cN4wXgrwdDxUvii6B_8A

Now we can use jwt_tool.py to forge the token.

python jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4ifQ==.heBq_EtfVfbCTp9nxaWOi_cN4wXgrwdDxUvii6B_8A /usr/share/wordlists/rockyou.txt

We have the Payload as “role = user”. As you guessed we need to change the Payload and get the flag. But how ??

JWT assembly : < Header + “.” + Payload + “.” + Signature >

Answer :

The above data and the “secret key” creates the token.

So, we need to find the key. If the signature is invoked by weak key we could crack it with our rockyou word list, so let us try it out.

  • For cracking, we need to select option 5.

Hurrah! We got the key as ‘jamesbond007’.

  • We need to play with Payload so now option 6.
  • All good select field number 0 to continue.
  • Select a field number 1 and enter new value “admin” and select 0 to continue to next step.
  • Option 1 is so juicy go ahead and Sign token with a known key and choose key length as HMAC-SHA256.

Yess! We got a forged token claiming “role = admin”.

We could able to access the admin page by replacing our payload in X-Auth token’s parameter and retrieved the flag!

The Flag is : braindead{4lways_us3_str0ng_k3y$}