web345

Look at the source code to find out/admin

Put Q/admin in the cookie generated

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-nGkbqn1H-1672128200707)(ctfshowjwt.assets/image-20221227134805327.png)]

Decrypt him with jwt

[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-CRQr5Sc0-1672128200711)(ctfshowjwt.assets/image-20221227135052517.png)]

In alg, it is None, so there is no encryption. Change the user to admin and base64 encryption.

web346

Similar to the previous question but with encryption,

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-8QoDSDmu-1672128200713)(ctfshowjwt.assets/image-20221227135950267.png)]

We still need to change the user to admin, but we don’t know the secret key, let’s make a blind guess 123456

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-hWRk4uxi-1672128200714)(ctfshowjwt.assets/image-20221227140038725.png)]

Submit the cookie and then visit /admin/

web347

Same as the previous question, the key is 123456

web348

The same front end, the title prompts to blast, take out the cookie

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-J6YgXACU-1672128200714)(ctfshowjwt.assets/image-20221227144415947.png)]

Encrypted, you still need to change the user to admin, but if you don’t know the key, use jwtcrack to blast it

Download address https://github.com/brendan-rius/c-jwt-cracker

[External link image transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the image and upload it directly (img-XunPwbHD-1672128200715)(ctfshowjwt.assets/image-20221227145537385.png)]

Exploding aaab is the same as the above layout

web349

app.js

/* GET home page. */
router.get('/', function(req, res, next) {
    
    
  res.type('html');
  var privateKey = fs.readFileSync(process.cwd()+'//public//private.key');
  var token = jwt.sign({
    
     user: 'user' }, privateKey, {
    
     algorithm: 'RS256' });
  res.cookie('auth',token);
  res.end('where is flag?');
  
});

router.post('/',function(req,res,next){
    
    
	var flag="flag_here";
	res.type('html');
	var auth = req.cookies.auth;
	var cert = fs.readFileSync(process.cwd()+'//public/public.key');  // get public key
	jwt.verify(auth, cert, function(err, decoded) {
    
    
	  if(decoded.user==='admin'){
    
    
	  	res.end(flag);
	  }else{
    
    
	  	res.end('you are not admin');
	  }
	});
});

Obtain public and private keys by accessing /private.keyandpublic.key

Then fill it in jwt.io, pass in the obtained cookie after modifying admin, and post a parameter at the same time

web350

The HS256 algorithm uses the key to sign and verify all messages.

Whereas the RS256 algorithm uses the private key to sign the message and the public key for authentication.

If you change the algorithm from RS256 to HS256, the backend code will use the public key as the key and then use the HS256 algorithm to verify the signature.

Since the attacker can sometimes obtain the public key, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data.

In this case, the backend code uses the RSA public key + HS256 algorithm for signature verification.
node script

const jwt = require('jsonwebtoken');
var fs = require('fs');
var privateKey = fs.readFileSync('public.key');
var token = jwt.sign({
    
     user: 'admin' }, privateKey, {
    
     algorithm: 'HS256' });
console.log(token)

ken = jwt.sign({ user: ‘admin’ }, privateKey, { algorithm: ‘HS256’ });
console.log(token)


运行 nodejs 获取 cookie 去替换即可

ctfshow-jwt