### Token Appreciation ###

Busque en la doc de https://pyjwt.readthedocs.io/en/stable/usage.html hasta encontrar Reading Headers without Validation

In [10]:
import jwt
import base64

encoded = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmbGFnIjoiY3J5cHRve2p3dF9jb250ZW50c19jYW5fYmVfZWFzaWx5X3ZpZXdlZH0iLCJ1c2VyIjoiQ3J5cHRvIE1jSGFjayIsImV4cCI6MjAwNTAzMzQ5M30.shKSmZfgGVvd2OSB2CGezzJ3N6WAULo3w9zCl_T47KQ"
decoded_header = base64.urlsafe_b64decode("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9")
print(decoded_header)

decoded_jwt = jwt.decode(encoded, options={"verify_signature": False})
print(decoded_jwt)


b'{"typ":"JWT","alg":"HS256"}'
{'flag': 'crypto{jwt_contents_can_be_easily_viewed}', 'user': 'Crypto McHack', 'exp': 2005033493}


### JWT Sessions ###

Buscar el header con el inspect del buscador y ver los requests mandados

key = Authorization

### No Way JOSE ###

Primero me fije si podria crear un token con alg none usando JWT, resulta que por defecto te pone H256, lo cual no me sirve. Tambien vi que para conseguir la flag necesita admin: True en el payload.

Entonces cree mis headers manualmente, cree el token "verdadero" usando jwt, reemplace el header del token con mi header mentiroso codificado en b64urlsafe y despues use el token para pegarle al endpoint de la pagina

Flag = crypto{The_Cryptographic_Doom_Principle}


In [12]:
import jwt
import base64
import json
header = {
    "typ": "JWT",
    "alg": "none"
}
payload = {
    "admin": True,
}
token = jwt.encode(payload, "secret")
parts = token.split(".")
header_bytes = json.dumps(header).encode()
parts[0] = base64.urlsafe_b64encode(header_bytes).decode()
token = ".".join(parts)
print(token)


eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJub25lIn0=.eyJhZG1pbiI6dHJ1ZX0.fXypkBFuqt1YgTjy6DWKdlZY-4ikLwJ0CtAhG472rvY


### JWT Secrets ###

La key usada era la default, entonces podes mandarle el payload que quieras.

Flag: crypto{jwt_secret_keys_must_be_protected}

In [None]:
import jwt
payload = {
    "admin": True,
}
token = jwt.encode(payload, "secret")
print(token)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZX0.fXypkBFuqt1YgTjy6DWKdlZY-4ikLwJ0CtAhG472rvY


### RSA or HMAC? ###

Para codificar el mensaje con RS256, necesitariamos la clave privada. Pero el servidor tambien acepta HMAC, que considera a la public key como una clave simetrica. Esto nos deja crear un token codificado en HS256 usando la clave publica como key, y que el servidor interpretaria como un token valido firmado de manera correcta.

Flag: crypto{Doom_Principle_Strikes_Again}

In [53]:
import jwt
payload = {

    "admin": True,
}
PUBLIC_KEY = "-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAvoOtsfF5Gtkr2Swy0xzuUp5J3w8bJY5oF7TgDrkAhg1sFUEaCMlR\nYltE8jobFTyPo5cciBHD7huZVHLtRqdhkmPD4FSlKaaX2DfzqyiZaPhZZT62w7Hi\ngJlwG7M0xTUljQ6WBiIFW9By3amqYxyR2rOq8Y68ewN000VSFXy7FZjQ/CDA3wSl\nQ4KI40YEHBNeCl6QWXWxBb8AvHo4lkJ5zZyNje+uxq8St1WlZ8/5v55eavshcfD1\n0NSHaYIIilh9yic/xK4t20qvyZKe6Gpdw6vTyefw4+Hhp1gROwOrIa0X0alVepg9\nJddv6V/d/qjDRzpJIop9DSB8qcF1X23pkQIDAQAB\n-----END RSA PUBLIC KEY-----\n"
print(PUBLIC_KEY)
token = jwt.encode(payload, PUBLIC_KEY)
print(token)

-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAvoOtsfF5Gtkr2Swy0xzuUp5J3w8bJY5oF7TgDrkAhg1sFUEaCMlR
YltE8jobFTyPo5cciBHD7huZVHLtRqdhkmPD4FSlKaaX2DfzqyiZaPhZZT62w7Hi
gJlwG7M0xTUljQ6WBiIFW9By3amqYxyR2rOq8Y68ewN000VSFXy7FZjQ/CDA3wSl
Q4KI40YEHBNeCl6QWXWxBb8AvHo4lkJ5zZyNje+uxq8St1WlZ8/5v55eavshcfD1
0NSHaYIIilh9yic/xK4t20qvyZKe6Gpdw6vTyefw4+Hhp1gROwOrIa0X0alVepg9
Jddv6V/d/qjDRzpJIop9DSB8qcF1X23pkQIDAQAB
-----END RSA PUBLIC KEY-----

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZX0.2s2PHOoEYYE1O_tHbdoA4-M1dpcRVJ66agqLXUXPM7A


### JSON in JSON ###

Hay que hacer una json injection dado que json por defecto, dadas 2 keys iguales, usa el valor de la ultima key que lee. Entonces al meter un user del estilo ", "admin": true, "x": "

Conseguimos la key crypto{https://owasp.org/www-community/Injection_Theory}

### RSA or HMAC? Part 2 ###

Honestamente ni idea. Magia negra del tipo este https://blog.silentsignal.eu/2021/02/08/abusing-jwt-public-keys-without-the-public-key/ y copiarle el codigo https://github.com/silentsignal/rsa_sign2n/blob/release/standalone/jwt_forgery.py pero agregandole admin : true. Use el jwt codeado en pcks1 porque el otro no andaba.

key = crypto{thanks_silentsignal_for_inspiration}

In [56]:
import sys
import json
import base64
from gmpy2 import mpz,gcd,c_div
import binascii
from Crypto.Hash import SHA256, SHA384, SHA512
from Crypto.Signature import pkcs1_15
import asn1tools
import binascii
import time
import hmac
import hashlib

def b64urldecode(b64):
    return base64.urlsafe_b64decode(b64+("="*(len(b64) % 4)))

def b64urlencode(m):
    return base64.urlsafe_b64encode(m).strip(b"=")

def bytes2mpz(b):
    return mpz(int(binascii.hexlify(b),16))


def der2pem(der, token="RSA PUBLIC KEY"):
    der_b64=base64.b64encode(der).decode('ascii')
    
    lines=[ der_b64[i:i+64] for i in range(0, len(der_b64), 64) ]
    return "-----BEGIN %s-----\n%s\n-----END %s-----\n" % (token, "\n".join(lines), token)


def forge_mac(jwt0, public_key):
    jwt0_parts=jwt0.encode('utf8').split(b'.')
    jwt0_msg=b'.'.join(jwt0_parts[0:2])

    alg=b64urldecode(jwt0_parts[0].decode('utf8'))
    # Always use HS256
    alg_tampered=b64urlencode(alg.replace(b"RS256",b"HS256").replace(b"RS384", b"HS256").replace(b"RS512", b"HS256"))

    payload=json.loads(b64urldecode(jwt0_parts[1].decode('utf8')))
    payload['exp'] = int(time.time())+86400
    payload['admin'] = True
    print(payload)

    payload_encoded=b64urlencode(json.dumps(payload).encode('utf8'))

    tamper_hmac=b64urlencode(hmac.HMAC(public_key,b'.'.join([alg_tampered, payload_encoded]),hashlib.sha256).digest())

    jwt0_tampered=b'.'.join([alg_tampered, payload_encoded, tamper_hmac])
    print("[+] Tampered JWT: %s" % (jwt0_tampered))
    return jwt0_tampered
# e=mpz(65537) # Can be a couple of other common values

jwt0="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VybmFtZSI6ImEiLCJhZG1pbiI6ZmFsc2V9.0HUI6s7p_DeOSYoR_s65Af8lvJ78YTsZZRST_4Ye4Waqkmz6UEUwiHjwRCcae8W7Fo93bJr8BfCxxfbRJ4OIhhu7hP5VH4c24QMWKBXMpWSskGuNNli33-6oM_NR-G0CkLNFF8FtQuvBQxyZabEVMmfU8j38GodsA7811H_eYIm8qRWqz3eNY4LyHOxTvc4Krz1Jjed0rWZlm7siBTxZnyyUEu8QGHbblAVgM56Fj6ocNcglIW41EowhCqDaepsV_EJUCWhBz4AcB0BLcQdPfhWHuNpopNkEfWfBFkPIJpwKWw5frXospYZ4Mpui8p5v3_bSQGO3zZhHiTpcQNx0-Q"

jwt1="eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VybmFtZSI6ImFiIiwiYWRtaW4iOmZhbHNlfQ.pKR5g4k2Q50dm24wXMFGOtHtDSRX-em0EbJ1pr9y8M-Yco1zZvu96lN4JngtDHIDzIj4iuB98RL8P7I9a3oPVxdg3SPwENjlRKHRGJ6PXUU7Pq6omi2qOExZHdZqcSs1hpH5V221DiIqZcB2dxxqnRQlqyezYWvp7b1OuNx1-OwH5iu8J3-U05vAwqZITRGAitc20vLxLVlxJLFXMFiLBEYeKbHkCRZCLH1aAxWJ1LhmfjRA7asID86dRoktFmDEqWs5v9m8Z7YMlf4Wku6prxhjiIxXwyMh5EsdvGlqv7paTnOtIFHyQ41h5mxT3msUNUzwlTvB3EGdSkaIY-JmtQ"


alg0=json.loads(b64urldecode(jwt0.split('.')[0]))
alg1=json.loads(b64urldecode(jwt1.split('.')[0]))

if not alg0["alg"].startswith("RS") or not alg1["alg"].startswith("RS"):
    raise Exception("Not RSA signed tokens!")
if alg0["alg"] == "RS256":
    HASH = SHA256
elif alg0["alg"] == "RS384":
    HASH = SHA384
elif alg0["alg"] == "RS512":
    HASH = SHA512
else:
    raise Exception("Invalid algorithm")
jwt0_sig_bytes = b64urldecode(jwt0.split('.')[2])
jwt1_sig_bytes = b64urldecode(jwt1.split('.')[2])
if len(jwt0_sig_bytes) != len(jwt1_sig_bytes):
    raise Exception("Signature length mismatch") # Based on the mod exp operation alone, there may be some differences!

jwt0_sig = bytes2mpz(jwt0_sig_bytes)
jwt1_sig = bytes2mpz(jwt1_sig_bytes)

jks0_input = ".".join(jwt0.split('.')[0:2])
hash_0=HASH.new(jks0_input.encode('ascii'))
padded0 = pkcs1_15._EMSA_PKCS1_V1_5_ENCODE(hash_0, len(jwt0_sig_bytes))

jks1_input = ".".join(jwt1.split('.')[0:2])
hash_1=HASH.new(jks1_input.encode('ascii'))
padded1 = pkcs1_15._EMSA_PKCS1_V1_5_ENCODE(hash_1, len(jwt0_sig_bytes))

m0 = bytes2mpz(padded0) 
m1 = bytes2mpz(padded1)

pkcs1 = asn1tools.compile_files('pkcs1.asn', codec='der')
x509 = asn1tools.compile_files('x509.asn', codec='der')

jwts=[]

for e in [mpz(3),mpz(65537)]:
    gcd_res = gcd(pow(jwt0_sig, e)-m0,pow(jwt1_sig, e)-m1)
    #To speed things up switch comments on prev/next lines!
    #gcd_res = mpz(0x143f02c15c5c79368cb9d1a5acac4c66c5724fb7c53c3e048eff82c4b9921426dc717b2692f8b6dd4c7baee23ccf8e853f2ad61f7151e1135b896d3127982667ea7dba03370ef084a5fd9229fc90aeed2b297d48501a6581eab7ec5289e26072d78dd37bedd7ba57b46cf1dd9418cd1ee03671b7ff671906859c5fcda4ff5bc94b490e92f3ba9739f35bd898eb60b0a58581ebdf14b82ea0725f289d1dac982218d6c8ec13548f075d738d935aeaa6260a0c71706ccb8dedef505472ce0543ec83705a7d7e4724432923f6d0d0e58ae2dea15f06b1b35173a2f8680e51eff0fb13431b1f956cf5b08b2185d9eeb26726c780e069adec0df3c43c0a8ad95cbd342)
    print("[*] GCD: ",hex(gcd_res))
    for my_gcd in range(1,100):
        my_n=c_div(gcd_res, mpz(my_gcd))
        if pow(jwt0_sig, e, my_n) == m0:
            print("[+] Found n with multiplier" ,my_gcd, " :\n", hex(my_n))
            pkcs1_pubkey=pkcs1.encode("RSAPublicKey", {"modulus": int(my_n), "publicExponent": int(e)})
            x509_der=x509.encode("PublicKeyInfo",{"publicKeyAlgorithm":{"algorithm":"1.2.840.113549.1.1.1","parameters":None},"publicKey":(pkcs1_pubkey, len(pkcs1_pubkey)*8)})
            pem_name = "%s_%d_x509.pem" % (hex(my_n)[2:18], e)
            with open(pem_name, "wb") as pem_out:
                public_key=der2pem(x509_der, token="PUBLIC KEY").encode('ascii')
                pem_out.write(public_key)
                print("[+] Written to %s" % (pem_name))
                jwts.append(forge_mac(jwt0, public_key))
            pem_name = "%s_%d_pkcs1.pem" % (hex(my_n)[2:18], e)
            with open(pem_name, "wb") as pem_out:
                public_key=der2pem(pkcs1_pubkey).encode('ascii')
                pem_out.write(public_key)
                print("[+] Written to %s" % (pem_name))
                jwts.append(forge_mac(jwt0, public_key))

print("="*80)
print("Here are your JWT's once again for your copypasting pleasure")
print("="*80)
for j in jwts:
    print(j.decode('utf8'))

[*] GCD:  0x1


KeyboardInterrupt: 