Web Security - CyberTalents Quals 2020
Hello Hackers.
This is my writeup for Cybertalents Qualifications.
I’ll start with the First Category and which is Web Security
Challange Name: Pr0mo
Category: Web Security
Points: 100
Difficulty: Medium
Firstly, i run dirsearch looking for anything using the following command
python3 dirsearch.py -u http://ec2-18-156-199-115.eu-central-1.compute.amazonaws.com/promo/ -e *
i didn’t find something useful
Wait… what?
Look at the Challange name again? The First thing that came to my mind is Promotion challenge in ASCWG
i remembered the JWT TOKEN!
I quickly went to my desktop and fired up burp suite then i started to intercept the request
Yeah! it’s JWT! as I expected
in my way to JWT Website to decode the token
ohh there a role named “user” and his value “guest”
i tried to change the alg to none to bypass the secert key
but i failed :(
it’s time to crack the secert :D
i went to my linux vmware machine and opened the terminal Well?
Well, I’ll use john the ripper tool and rockyou wordlist for crack the secert key , i put the original token in token.txt well i’ll use the following command to crack the password
john token.txt --wordlist=/usr/share/wordliste/rockyou.txt --format=HMAC-SHA256
in seconds, i got the result
Nice progress, now we have the secert, lets go back to jwt site and put it and change the user role to admin
Let’s replace the cookie with the new cookie we crafted!
WTF? Can I help you?. Text disappeard? Hmm?
Okay! no problem i’ll check the page source.
Okay? i found this encryption
it seems like jsFuck or BrainFuck let’s go to this Website and decrypt the encryption you found in the source of the page
OfF! we got the flag
FLAG{JWT_I_Lik3_iT}