Thứ Sáu, 22 tháng 5, 2020

[Root-Me] JWT Revoked Token

Hi guys , after nearly 2 months dont care about Root Me challenges , I come back to it and realize that some challenges have been added to Web Serveur catalog recently . I decide to play with JWT again . 😃

25 Points , not too much hard  , huh? I though so . And after solved this chall , I have to say : " It's not really hard , but so much tricky" . Let's see !

Base on the links and methods given , I enter into it .

Of course this method is not accepted ! I turn on Zap 2.9.0 my babe to send a request to this Url by POST method :

Ok! next step , I will send a request which contains credential data that they ask . Of course, json data.


but I receive same result : Bad request ! 
After some minutes, I realize that I must add to request a header when sending json data 

Content-Type: application/json

Okay , a little bit difference 😂

When I review the source code , I ensure that when we send credential to server , web server should be sent back the access token .

But I dont see any more and have no idea where it is .
Trick 1 : Use Curl

After googling and reviewing the source code , I decide to use Curl command to resend data to server
curl -H "Content-Type: Application/json" -X POST -d '{"username":"admin","password":"admin"}'
 And I got the access token !

If you immediately submit this JWT token, you will lose it . Seriously , I can prove it right now 😄

When the server generate you a token , the token is sent to blacklist immediately! So, if you send it to server without any edit , it must be revoked .

I try many times with many things including write a payload , crack the JWT token and every crazy thing that I can do , it still not work ! the server doesnt accept any token that edited, craked ,etc . The main issue that you must send the edited token but the server doesnt know or find the difference . But how ?

Trick 2: RFC 4648

And fortunately , I figure out after half a day stucking . I must change directly the token, not the content of it . 
HINT : JWT made of Base 64 encoding , right ?my name : 4rth4s =>  NHJ0aDRz base64 encode , and NHJ0aDRz is similar to NHJ0aDRz== in some cases , right?You have 3 minutes to change it. 
Keep going , I got the flag 😇
Hope you will !

Happy Hacking!

Phổ Biến