25 Points , not too much hard , huh? I though so . And after solved this chall , I have to say : " It's not really hard , but so much tricky" . Let's see !
Base on the links and methods given , I enter into it .
Of course this method is not accepted ! I turn on Zap 2.9.0 my babe to send a request to this Url by POST method :
Ok! next step , I will send a request which contains credential data that they ask . Of course, json data.
{"data":{"username":"admin","password":"admin"}}
but I receive same result : Bad request !
After some minutes, I realize that I must add to request a header when sending json data
Content-Type: application/json
Okay , a little bit difference 😂
When I review the source code , I ensure that when we send credential to server , web server should be sent back the access token .
But I dont see any more and have no idea where it is .
Trick 1 : Use Curl
After googling and reviewing the source code , I decide to use Curl command to resend data to server
curl -H "Content-Type: Application/json" -X POST -d '{"username":"admin","password":"admin"}' http://challenge01.root-me.org/web-serveur/ch63/loginAnd I got the access token !
If you immediately submit this JWT token, you will lose it . Seriously , I can prove it right now 😄
When the server generate you a token , the token is sent to blacklist immediately! So, if you send it to server without any edit , it must be revoked .
I try many times with many things including write a payload , crack the JWT token and every crazy thing that I can do , it still not work ! the server doesnt accept any token that edited, craked ,etc . The main issue that you must send the edited token but the server doesnt know or find the difference . But how ?
Trick 2: RFC 4648
And fortunately , I figure out after half a day stucking . I must change directly the token, not the content of it .
HINT : JWT made of Base 64 encoding , right ?my name : 4rth4s => NHJ0aDRz base64 encode , and NHJ0aDRz is similar to NHJ0aDRz== in some cases , right?You have 3 minutes to change it.Keep going , I got the flag 😇
Hope you will !
Happy Hacking!