Galaxy Dash - JWT Forgery
Our hint this time was, can you find something that you weren't supposed to find?
This was a very cool weekly with a vulnerability I only saw recently for the first time. It was cool to see it again π
After our usual clicking around, I went to BurpSuite. I saw that once I booked a delivery, I got a POST request with an URL inside the body, SSRF alert π¨
First thing I try when seeing something like that is to reach collaborator. Unfortunately, this wasn't the case π
Ok, outbound traffic is probably not allowed, no sneaky calling to outside scripts. Next best thing is to fuzz the internal application.
Success! I found another endpoint!
But nothing really interesting on the response.
So let's fuzz some more!
Two hits this time! And I gotta say, something labeled private and public is very very interesting!
Is this a private key? Sure seems like one to me π
So I tried plugging it into JWT editor so I could resign my token.
Got an error due to the \n things inside the key, so I switched out all the newline characters with actual newlines.
That worked beautifully! Now let's resign our JWT.
Don't mind me becoming admin π€«
So I became admin, but where was my flag? Tried to reach /admin, /admin/flag , navigate all trough the app, but did not find anything. That was until I went through Burp while searching for flag.
Wasted a good 20 minutes on searching the flag π§πͺ, but so glad I found it!
Last updated