webPromedium

Lab 316 — InsightForge — JWT Secret Leak to RCE via Command Injection

hackadvisor

Task: Express.js BI platform with a JWT secret hardcoded in client-side JS and an admin test-connection endpoint passing a hostname into a shell ping. Solution: leak the HS256 secret from /js/auth.js, forge an admin JWT, then OS command injection via the hostname field for RCE as root and read /root/flag.txt.

$ ls tags/ techniques/

command_injection ping rce jwt nodejs information_disclosure hs256 privilege_escalation hardcoded_secret alpine_linux express_js jwt_forgery decoy_flags client_side_secret_leak

decoy_flag_identificationshell_metacharacter_injectionjwt_forgery_hs256jwt_secret_leak_in_client_jsadmin_role_privilege_escalationos_command_injection_via_hostnamerce_as_root

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 352 — PipeForge — Content-Type Confusion to Admin JWT Forge to RCE— hackadvisor
[web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
[web][Pro]Lab 114 — APIForge — JWT JKU Header Injection for Privilege Escalation— hackadvisor
[web][Pro]Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion— hackadvisor
[web][Pro]Lab 252 — BuildForge — RCE via npm Lifecycle Script Injection— hackadvisor