You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After register and login we will have a JWT, and we need to be admin to get the flag.
This is how JWT looks like:
At first, I found that I can replace jku to my own server, so I implemented a simple server to return the key. Unfortunately, it keeps return error which said that it can not find a suitable key. I stuck here for a long time and have no idea how to proceed.
Then, I noticed a very important part in the error message, part of jwk are included in the response. So I tried to change the JWT kid to another random string, here is the error message from server:
JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"kid":"HS2561","alg":"HS256"} from JWKs [org.jose4j.jwk.OctetSequenceJsonWebKey{kty=oct, kid=HS256, alg=HS256}] obtained from http://localhost:8080/secret): JsonWebSignature{"kid":"HS2561","alg":"HS256"}->eyJraWQiOiJIUzI1NjEiLCJhbGciOiJIUzI1NiJ9.eyJqa3UiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvc2VjcmV0IiwiZXhwIjoxNjE3NTMwOTkyLCJqdGkiOiJCREFjSTZ1V0p5X0tvdmhTWnN6WW5nIiwiaWF0IjoxNjE2OTI2MTkyLCJuYmYiOjE2MTY5MjYwNzIsInN1YiI6ImV3ZWlvZmpld29pZiJ9.G_4j1QH9RoiSkv59rmZz0gtNFKPath-Bi8J4_dQmevo]
Great! Now we know the kty is oct, no wonder kty=RSA keeps throw error.
Now we know the correct kty so we can create our own jwk server:
JWT
Description
Writeup
After register and login we will have a JWT, and we need to be admin to get the flag.
This is how JWT looks like:
At first, I found that I can replace
jku
to my own server, so I implemented a simple server to return the key. Unfortunately, it keeps return error which said that it can not find a suitable key. I stuck here for a long time and have no idea how to proceed.Then, I noticed a very important part in the error message, part of jwk are included in the response. So I tried to change the JWT
kid
to another random string, here is the error message from server:Great! Now we know the kty is
oct
, no wonderkty=RSA
keeps throw error.Now we know the correct
kty
so we can create our own jwk server:We can sign a new JWT with
sub=admin
by using this secret key, and get the flag.reference:
The text was updated successfully, but these errors were encountered: