JWT Secrets

cryptohack

Task: a CryptoHack JWT challenge issues and verifies HS256 tokens, with the flag gated behind admin:true; source comment hints the secret is the PyJWT readme example key. Solution: guess the default HS256 secret 'secret', forge a token with admin:true, and submit it to the authorise endpoint to recover the flag.

jwt token_forgery hs256 default_credentials privilege_escalation pyjwt weak_secret hmac_sha256

jwt_forgeryadmin_privilege_escalationweak_secret_guessinghs256_resign

$ ls tags/ techniques/

jwt token_forgery hs256 default_credentials privilege_escalation pyjwt weak_secret hmac_sha256

jwt_forgeryadmin_privilege_escalationweak_secret_guessinghs256_resign

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]JSON in JSON— cryptohack
[web][Pro]RSA or HMAC?— cryptohack
[web][Pro]No Way JOSE— cryptohack
[web][Pro]Разминка с JWT (JWT Warmup)— hackerlab
[web][free]OpenSecret— hackthebox