CTFtime.org

The Devil Never Sleeps

by JustAnotherPenTester / cyberstudents

Tags: web jwt 

Rating:

Visiting the challenge site, it tells us
```
To get sleeping pills, navigate to /sleepingpill. To get the flag, navigate to /flag.
```

Visiting **/sleepingpill**, the following output is displayed
```
{"pill_key":"-----BEGIN PUBLIC KEY-----\nMIGsMA0GCSqGSIb3DQEBAQUAA4GaADCBlgKBjgD/////////////////////////\n/////////////////////////////////////////////////////////////3//\n///////////+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAECAwEAAQ==\n-----END PUBLIC KEY-----","sleeping_pill":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTYzMTE2MzA4NSwianRpIjoiNjk2ZDBkYWYtZDFlNy00YWFkLWE5ZGYtYTVjMjA2ZjZhOWM0IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldmlsIiwibmJmIjoxNjMxMTYzMDg1LCJleHAiOjE2MzExNjM5ODUsInNsZWVwIjoiZmFsc2UiLCJkYW5nZXIiOiJ0cnVlIn0.1XvVB3dpbiHyeEL10kzuTQDww_qm-KDcIrKl135H8QoiROoBnLuW4nbwD89Nq_WHG-S1SN5kB5zVUi6PoKIX7Bc2i0egIe6v4TIBGNo2qKytalU4rZg90keZmiG9qo625GqLjNKY_zl5Zr9SWvO9nutuAwnKd2EMUxEu5aVbq4xnf-wmKELaIFBewu1h"}
```

The decoded jwt payload is
```
{
"fresh":false,
"iat":1631163085,
"jti":"696d0daf-d1e7-4aad-a9df-a5c206f6a9c4",
"type":"access",
"sub":"devil",
"nbf":1631163085,
"exp":1631163985,
"sleep":"false",
"danger":"true"
}
```

To solve the challenge, simply change sleep to true and danger to false. But for the signature, the private key is needed.

For the signature, the response from **/sleepingpill** gives the public key.
```
-----BEGIN PUBLIC KEY-----
MIGsMA0GCSqGSIb3DQEBAQUAA4GaADCBlgKBjgD/////////////////////////
/////////////////////////////////////////////////////////////3//
///////////+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAECAwEAAQ==
-----END PUBLIC KEY-----
```

Using [RsaCtfTool](https://github.com/Ganapati/RsaCtfTool), get the private key.

```
python3 RsaCtfTool.py --publickey ./public.key --private

Private key :
-----BEGIN RSA PRIVATE KEY-----
MIICkAIBAAKBjgD/////////////////////////////////////////////////
/////////////////////////////////////3/////////////+AAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAECAwEAAQKBjSp/1YAqf9WAKn/VgCp/1YAqf9WAKn/VgCp/1YAqf9WA
Kn/VgCp/1YAqf9WAKn/VgCp/1YAqf9WAKn/VgCp/1YAqVVWqqlVVqqpVVaoAVf+q
AFX/qgBV/6oAVf+qAFX/qgBV/6oAVf+qAFX/qgBV/6oAVf+qAFX/qgBV/6oAVf+q
AFX/qgBV/6oAVf+qAQJCAf//////////////////////////////////////////
////////////////////////////////////////////Akx/////////////////
////////////////////////////////////////////////////////////////
////////////////////AkIBgIB/f4CAf3+AgH9/gIB/f4CAf3+AgH9/gIB/f4CA
f3+AgH9/gIB/f4CAf3+AgH9/gIB/f4CAf3+AgH9/gIB/f38CTFVVqqpVVaqqVVWq
qlVVqqpVVaqqVVWqqlVVqqpVVaqqVVWqqlVVqqpVVaqqVVWqqlVVqqpVVaqqVVWq
qlVVqqpVVaqqVVWqqlVVqqkCQRCEIQhCEIQhCEIQQhCEIQhCEIQhCEEIQhCEIQhC
EIQhBCEIQhCEIQhCEIQQhCEIQhCEIQhCEEIQhCEIQhCEIQhB
-----END RSA PRIVATE KEY-----
```

Use [JWT Debugger](https://jwt.io/#debugger-io) to decode the jwt, flip the values for sleep and danger, and sign it using the private key.

Copy the new jwt, and send it to flag using the header **Pill**.

```
curl -s http://194.5.207.57:8080/flag -H "Pill: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTYzMTE2MzUwOSwianRpIjoiODIzY2EyNmItN2Q3Yi00MjcwLWE5OGItMDgxMDU0NGMzODA2IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldmlsIiwibmJmIjoxNjMxMTYzNTA5LCJleHAiOjE2MzExNjQ0MDksInNsZWVwIjoidHJ1ZSIsImRhbmdlciI6ImZhbHNlIn0.nhJEFkZLdlBn4PqRD8EuxPlzDEyIZGVkD1Nx9pmof_tp67RXRb6ie4UCvmMttmi6LTYtBIARiCy1E_fvfTBneKzckez8eaQihMfpxir0L1Sqw0e5qiDVETCywqZ66NCyEslWkkGG5L2spx0eBuXUXgOgrM82xv9YT8dSvaEn6snLLQjHmn0yHOFcDFiY"

Congratulations! Here is the flag: TMUCTF{0h_51nn3rm4n_Wh3r3_Y0u_60nn4_Run_70?}
```

Comments