L’Académie du détail
In this challenge, we arrive on a web page. We have login page available, and we can connect with any credentials we want (ex: a:a). We now have a tab called Liste des membres that appears at the top:
But when we try to connect to it, we get this error:
We try looking around and we can see a cookie called access-token:
This cookie looks really like a JWT… When we put it on the website JWT.io, we can see that it is indeed a JWT:
We try a basic attack on JWT that consist of, putting the alg attribute to none and this should bypass the signature (if this works). We can put the username to admin and we have :
In case you are wondering, the encoded values of the JWT is only base64 encoded so we can decode it and encode whatever we want. We just can’t modify the signature part, hence the
Nonealgorithm chose.
Pay attention to the case of the
none.Nonewon’t work if you try it with an upper-caseN.
We press CTRL+F5 to refresh the page and we get the flag:
The flag is 404CTF{JWT_M41_1MP13M3N73_=L35_Pr0813M35}