Lab 350 — VaultKeeper

hackadvisor

Task: VaultKeeper enterprise secrets management platform uses RS256 JWT authentication with exposed public key. Solution: JWT Algorithm Confusion attack (CVE-2016-10555) — changed alg from RS256 to HS256 and signed with the RSA public key as HMAC secret to forge admin token.

jwt nodejs authentication_bypass token_forgery hs256 express privilege_escalation algorithm_confusion rs256 cve_2016_10555

jwt_algorithm_confusionhmac_with_public_keydecoy_flag_identificationrole_based_access_control_bypassjwk_to_pem_conversion

$ ls tags/ techniques/

jwt nodejs authentication_bypass token_forgery hs256 express privilege_escalation algorithm_confusion rs256 cve_2016_10555

jwt_algorithm_confusionhmac_with_public_keydecoy_flag_identificationrole_based_access_control_bypassjwk_to_pem_conversion

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 354 — VaultAPI — JWT Authentication Bypass via JWE-Wrapped PlainJWT— hackadvisor
[web][Pro]Lab 114 — APIForge — JWT JKU Header Injection for Privilege Escalation— hackadvisor
[web][free]paper-trail— tjctf
[web][Pro]Lab 12 — NewsGrid — JWT Algorithm Confusion— hackadvisor
[web][Pro]Lab 303 — DevGateway — Broken Access Control in Admin API— hackadvisor