JSON Web Token (JWT) CTF || LineCTF 2024 Writeup || Part 1
HS256 Null Signature Attack
Recently, I participated in LineCTF 2024 under Team 4GUn7uk. In that CTF, we are able to secure the 199th position.
There were 2 problems with JSON Web Token under the web category. This is the write-up for the “Jalyboy baby” problem.
Challenge Details
Name : Jalyboy baby
Category : Web Exploitation
Difficulty : EasyChallenge Description
If you want to download the associate file, visit this GitHub repository: CTF Archives.
Solving Process
To solve this problem, you need a clear understanding of what JSON Web Token is. If you hear this word for the first time in your life, consider stepping foot on this blog: JWT. If it's still not clear to you, consider reading some other blogs and watching some videos.
Back to the problem, at first, I visited the website and got this UI.
The “log as admin” button is disabled and if I click, “login as guest” the “Hi unknown!” text changes to “Hi guest!”. That’s it. Nothing noticeable. So next, I checked the source code of the page and got this:
Notice that, in the href attribute, we got a JSON Web Token directly. So, I copied the JWT and checked it in: jwt.io.
Fortunately, the JWT Token is using the HS256 algorithm which is one the most insecure algorithm for a JWT Token. Next, we analyzed the zip file we got, and from the JwtContoller.java file, it turns out that the server doesn’t check the signature. So now, it’s clear that the server has “Null Signature Vulnerability”. All I have to do is, in the payload part, change the “sub” from “user” to “admin”. That way, we will get the admin access. Finally, it looks like this:
I copied the JWT without the signature (blue part) and replaced it with the real JWT in the href attribute. Upon hitting enter and clicking again the “login as guest” button, I reached the desired page which have the flag.
Flag
LINECTF{337e737f9f2594a02c5c752373212ef7}
So, that was the solution to the “jalyboy baby” web problem from LineCTF 2024. Write-ups of other problems, that I solved in this CTF coming soon. It will be embedded below. Also, I am participating in CTF regularly, so more write-ups are coming up. Make sure to follow.
Write-ups for Jalyboy Jalygirl problem.
