omakmoh@home:~$

Web Security - CyberTalents Quals 2020

Hello Hackers. This is my writeup for Cybertalents Qualifications.
I’ll start with the First Category and which is Web Security

Challange Name: Pr0mo
Category: Web Security
Points: 100
Difficulty: Medium

Firstly, i run dirsearch looking for anything using the following command
python3 dirsearch.py -u http://ec2-18-156-199-115.eu-central-1.compute.amazonaws.com/promo/ -e *
i didn’t find something useful
Wait… what?

Look at the Challange name again? The First thing that came to my mind is Promotion challenge in ASCWG
i remembered the JWT TOKEN!

I quickly went to my desktop and fired up burp suite then i started to intercept the request

Yeah! it’s JWT! as I expected
in my way to JWT Website to decode the token

ohh there a role named “user” and his value “guest”
i tried to change the alg to none to bypass the secert key

but i failed :(
it’s time to crack the secert :D

i went to my linux vmware machine and opened the terminal Well?
Well, I’ll use john the ripper tool and rockyou wordlist for crack the secert key , i put the original token in token.txt well i’ll use the following command to crack the password
john token.txt --wordlist=/usr/share/wordliste/rockyou.txt --format=HMAC-SHA256
in seconds, i got the result

Nice progress, now we have the secert, lets go back to jwt site and put it and change the user role to admin

Let’s replace the cookie with the new cookie we crafted!
WTF? Can I help you?. Text disappeard? Hmm?

Okay! no problem i’ll check the page source.
Okay? i found this encryption

it seems like jsFuck or BrainFuck let’s go to this Website and decrypt the encryption you found in the source of the page
OfF! we got the flag
FLAG{JWT_I_Lik3_iT}