webPromedium

Lab 211 — CloudPulse

hackadvisor

Task: SaaS monitoring dashboard with JWT HS256 authentication using kid header for key file selection — no path sanitization on kid parameter. Solution: Traverse kid to /dev/null to sign with empty key, forge administrator token using exact role value from /team page, access /admin/secrets vault for the flag.

path_traversal jwt nodejs token_forgery hs256 express privilege_escalation admin_takeover decoy_flag kid_path_traversal

decoy_flag_identificationprivilege_escalation_via_forged_claimsjwt_kid_path_traversal_to_dev_nullhmac_signing_with_empty_keyteam_page_enumeration_for_role_discovery

$ ls tags/ techniques/

path_traversal jwt nodejs token_forgery hs256 express privilege_escalation admin_takeover decoy_flag kid_path_traversal

decoy_flag_identificationprivilege_escalation_via_forged_claimsjwt_kid_path_traversal_to_dev_nullhmac_signing_with_empty_keyteam_page_enumeration_for_role_discovery

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups