![a27d100cac3b2b079de126924af5342f.png](0674b50ed9ef47ebabc453ce715abf86.png)
We get an error when browsing the site
`{"Error":"Authorization header not found! Try to login with guest credentials."}`
Navigating to `/login` we get another error, this time it's `Method Not Allowed`
Captured the request in **BurpSuite**, changed the request method from **GET** to **POST** and passed in some "guest" credentials
![41c38e5e342ecaea02f7d5d8defbe893.png](44e4b8e1f9c24effb78b24cb322b35e1.png)
The server sends back a **JSON Web Token**.
```
{"Token":"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjIxMDI4MzY2fQ.xqKZlUUHQRTRylg4-EtplinoqbCUpERoVdwXDUur0VHLeeAz1v5IOuekeDvsr3JczO4h6bsH2mN4-MWd9u4jOQ"}
```
Passing that in our headers with a **GET** request to the webroot `/`
![9628a047f543ba62f8aeb54a36b92b3b.png](2f43568802f642aa8d3fea85259f6642.png)
We get this response back
```
{"Message":"Hi, guest! You are not admin, I have no secret for you."}
```
We need to forge the **JWT**. Unfortunately it's not vulnerable to the **Alg None Attack**, so we need to crack the secret key. **John the Ripper** will do that for us.
`john jwt.txt --wordlist=/rockyou.txt --format=HMAC-SHA512`
![03cfb49d800f4453352febc222e626ae.png](91d351060c284b129600d310897bc996.png)
Now that we know the key, we can forge the token. I'm using a **BurpSuite** extension called **JSON Web Tokens**
![efbe5e7219e2a9ec15345f2d2727d9f8.png](6dee81c77d954b1e91b1f6560d8e72a0.png)
Change the **"username"** field to **"admin"**, click **Recalculate Signature** and pop the secret key in that john just found for us.
Send it off and get the flag!
![fe90a42c9e9d8c887a362f651b0401ad.png](c05f752064f14768adf3009c8e19a7f2.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #jwt #web
Related: