FooBar CTF 2021: My Weak Secret

My Weak Secret

Category: Web

100 points

Never use weak secrets. I repeat NEVER.




Challenge description is a hint, that weak password has been used. So, I’ve used John The Ripper to try bruteforce.

Firstly, I’ve saved the jwt into the file. (you can try it by yourself, here it is eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZXJyb3IifQ.XALcPJYbkoM2OvMjOrFCBb5w4CuYSavfjgCL_RHymjU).

Secondly, launched Johnny.

john --wordlist=/home/luc/Pobrane/rockyou.txt --format=HMAC-SHA256 jwt.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
badboy           (?)
1g 0:00:00:00 DONE (2021-04-01 17:05) 50.00g/s 819200p/s 819200c/s 819200C/s 123456..christal
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

And then forged new jwt with


Then, I switched the jwt cookie and get the reward.




Privacy Policy
luc © 2021