
We get an error when browsing the site
`{"Error":"Authorization header not found! Try to login with guest credentials."}`
Navigating to `/login` we get another error, this time it's `Method Not Allowed`
Captured the request in **BurpSuite**, changed the request method from **GET** to **POST** and passed in some "guest" credentials

The server sends back a **JSON Web Token**.
```
{"Token":"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjIxMDI4MzY2fQ.xqKZlUUHQRTRylg4-EtplinoqbCUpERoVdwXDUur0VHLeeAz1v5IOuekeDvsr3JczO4h6bsH2mN4-MWd9u4jOQ"}
```
Passing that in our headers with a **GET** request to the webroot `/`

We get this response back
```
{"Message":"Hi, guest! You are not admin, I have no secret for you."}
```
We need to forge the **JWT**. Unfortunately it's not vulnerable to the **Alg None Attack**, so we need to crack the secret key. **John the Ripper** will do that for us.
`john jwt.txt --wordlist=/rockyou.txt --format=HMAC-SHA512`

Now that we know the key, we can forge the token. I'm using a **BurpSuite** extension called **JSON Web Tokens**

Change the **"username"** field to **"admin"**, click **Recalculate Signature** and pop the secret key in that john just found for us.
Send it off and get the flag!

---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #jwt #web
Related: