Necromancers Notebook

Today is October 31 👻. The hint for this Halloween lab is JWT.

Once I was registered, I followed a hunch and navigated to /admin , ofcourse I wasn't allowed to navigate to that page, but BurpSuite revealed something interesting. When I tried navigating to /admin it tried a redirect to /admin/flag Can't say that's not interesting.

Because the hint was JWT, I obviously looked at the JWT I got when I registered. The role attribute was interesting. I could assume that successfully navigating to /admin/flag depended on that attribute. My next step would be changing that to "role":"admin"

I tried changing it manually and use the none and unsigned attack, but that was unsuccessful. Then I noticed that the signing algorithm was HS256. This meant I could try and crack the secret with hashcat.

┌──(shadowforge㉿kali)-[~]
└─$ hashcat -a 0 -m 16500 < JWT > /usr/share/wordlists/rockyou.txt
hashcat (v7.1.2) starting
....
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MiwidXNlcm5hbWUiOiJzaGFkb3ciLCJyb2xlIjoidXNlciIsImlhdCI6MTc2MTg5NzAxNH0
.NmnkScKXNN9pU1Gdf1e6kwhrGPHN1gNM2K7DbEQ_cUc:pumpkin
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 16500 (JWT (JSON Web Token))

Cracked the secret with hashcat and found that the secret was pumpkin 🎃, how fitting!

Now all I had to do was change my role to admin and resign the JWT with the secret.

At this point I was pretty confident I would reach the /admin/flag endpoint using this new token. So I loaded it up in BurpSuite and hit send.

And the reward for all that? My flag 🇧🇪

PreviousJWT NextShady Oaks

Last updated 3 months ago