[HITB CTF Singapore 2017] Web 425 – Pasty

Challenge:

Can you find the administrator’s secret message?
http://47.74.147.52:20012

In the first look, it seems like a page which save our text. I decided to create an account, login, and observe in burp-suite. Something interesting appears:

There are many base64 parts encode chain with dot, it absolutely using JWT token to authentication. Decode it, we get some information:

Yes, it uses RS256 algorithm to encrypt our payload. So changing it value to admin will solve the challenge? Nope.
RS256 (RSA Signature with SHA-256) is an asymmetric algorithm, and it uses a public/private key pair: the identity provider has a private (secret) key used to generate the signature, and the consumer of the JWT gets a public key to validate the signature.

So on, we got kid: “keys/3c3c2ea1c3f113f649dc9389dd71b851” on the header, which means it will find the public key in file path defined in kid (in this case: http://47.74.147.52:20012/keys/3c3c2ea1c3f113f649dc9389dd71b851.pem)

To sum up, we already got:
– The Header format
– The Payload format
– default public key in the file which defined in kid

At this point, i decided to do an attack which using HS256 instead of RS256 and make the public key become a decrypt key but no luck, i stucked for several hours.

Luckily, my friend told me what if we still using RS256 and trick the authentication to accept our payload? Well, based on this idea, we have to get:
– our Private key
– our Public key
– The admin in payload which using our private key to sign

So, we are going to force JWT using our public key to verify our crypt 🙂
The attack is as below:
1/ Create the pub/priv key pair
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQsHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5Do2kQ+X5xK9cipRgEKwIDAQAB
-----END PUBLIC KEY-----

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDdlatRjRjogo3WojgGHFHYLugdUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQsHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5Do2kQ+X5xK9cipRgEKwIDAQABAoGAD+onAtVye4ic7VR7V50DF9bOnwRwNXrARcDhq9LWNRrRGElESYYTQ6EbatXS3MCyjjX2eMhu/aF5YhXBwkppwxg+EOmXeh+MzL7Zh284OuPbkglAaGhV9bb6/5CpuGb1esyPbYW+Ty2PC0GSZfIXkXs76jXAu9TOBvD0ybc2YlkCQQDywg2R/7t3Q2OE2+yo382CLJdrlSLVROWKwb4tb2PjhY4XAwV8d1vy0RenxTB+K5Mu57uVSTHtrMK0GAtFr833AkEA6avx20OHo61Yela/4k5kQDtjEf1N0LfI+BcWZtxsS3jDM3i1Hp0KSu5rsCPb8acJo5RO26gGVrfAsDcIXKC+bQJAZZ2XIpsitLyPpuiMOvBbzPavd4gY6Z8KWrfYzJoI/Q9FuBo6rKwl4BFoToD7WIUS+hpkagwWiz+6zLoX1dbOZwJACmH5fSSjAkLRi54PKJ8TFUeOP15h9sQzydI8zJU+upvDEKZsZc/UhT/SySDOxQ4G/523Y0sz/OZtSWcol/UMgQJALesy++GdvoIDLfJX5GBQpuFgFenRiRDabxrE9MNUZ2aPFaFp+DyAe+b4nDwuJaW2LURbr8AEZga7oQj0uYxcYw==
-----END RSA PRIVATE KEY-----

2/ Encode our payload with value set to admin in JWT, to do it, go to jwt.io:

3/ set “kid” point to our public key
How to do it? Remember that we also got a function which let us save our paste, i create a new paste, set everyone can see it, and paste the content of our public key into it:

Well, we also can download it
http://47.74.147.52:20012/api/paste/308761e7-4147-4868-b97d-309d0c94785c?raw
So, set it to kid and the problem solved? no! the path in “kid” will auto append .pem at the end and make our public key turn wrong, so we need to bypass it.
Simply add & into it, and .pem will become the parameter which means we wont need to care more about it.
So our final payload:

4/ get flag

Interesting Challenge 😀

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s