JSON Web Token (JWT) CTF || LineCTF 2024 Writeup || Part 2
ES256 Psychic Signature Attack
This problem is pretty well-connected with the problem “jalyboy baby” from part. So, I recommend you to read that write-up first from here: JSON Web Token (JWT) CTF || LineCTF 2024 Writeup || Part 1.
Challenge Details
Name : jalyboy jalygirl
Category : Web Exploitation
Difficulty : EasyChallenge Description
If you want to download the associate file, visit this GitHub repository: CTF Archives.
Solving Process
Like the previous problem, this problem also has a similar scenario.
Like the previous one, this time also, I got the JWT from the source code. But from this moment, the thing gets complex. The JWT token uses the ES256 algorithm which is the most secure algorithm for JWT. The scary part is, that every time I refresh the page, the signature part changes randomly.
Now I spent a lot of time researching. But I almost got no clue. Finally, I got a blog from OWASP that talks about a vulnerability (or maybe the only vulnerability) of the ES256 algorithm. So, if you replace the signature part of the JWT with “MAYCAQACAQA”, the server will take this as a valid signature.
That’s the thing, I am looking for. So, this time I used a tool called “JWT Tools” which is a GitHub repo, and using this, in the payload part, I changed the “sub” from “guest” to “admin”.
Now, I copied the JWT and replaced the signature with “MAYCAQACAQA” which finally looks like this:
eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.MAYCAQACAQAAnd like the previous one, I replaced this with the real JWT in the href attribute and hit “log in as guest” which led me to the flag page.
Flag
LINECTF{abaa4d1cb9870fd25776a81bbd278932}
Reference
So, that was the solution to the “jalyboy jalygirl” web problem from LineCTF 2024. Also, I am participating in CTF regularly, so more write-ups are coming up. Make sure to follow.
