NuLL_Br3aker_2020 CTF Writeup

Hi Folks, We have recently participated in NuLL_Br3aker_2020 CTF, this is a walk through of simple Web challenges from Null breaker CTF, we are the one who solves all web category  challenges. which was a jeopardy style CTF. I’ve come across one of the Web challenges JWT  150 points (btw it is simple :-p). I would like to share my way of completing the challenge.

The Challenge named Json Web Tok3n, they have given a URL to proceed the challenge, by accessing it through browser, i got this

i was like what the heck is this ??, i slowly access all the api endpoints through browser, the three URL was

 https://web-challenge-0x01.herokuapp.com/api/auth

 https://web-challenge-0x01.herokuapp.com/api/notes

https://web-challenge-0x01.herokuapp.com/api/verify

when i access  https://web-challenge-0x01.herokuapp.com/api/auth , this was the response

ok cool , i proceed with other endpoints (api/notes) and below was the response

 and /api/verify

ok , the motive is we have to generate a JWT Token to authorize and view the /api/notes, so how can i find it ?? its pretty simple i quickly fired my burpsuite and intercept the same request (/api/urls) using proxy and send the GET Request to repeater and checked the API Response, below was the response appeared

i tried to change the endpoint urls from burpsuite and all i got was 401 unauthorized and JSON Web token is null, so how can i generate a JWT Token to proceed the challenge and it was pretty simple just change the GET Method to POST Method on /api/auth endpoint , you will get a good looking JWT Token

so i quicky added an extra header named authorization : bearer on /api/notes endpoint and proceed the request and all i got was Not Authorized , here  i came to know  We need to generate a JWT token having an admin role instead of having a user role. I headed over to the jwt.io site to check it out. There we can paste the token in and get information about it’s contents pretty easily.In this we see that we can’t validate the signature, this is expected because we don’t have the correct secret.

We find, as expected the token has expired also. So the first thing we think is that we need to brute force the secret so we can generate our own JWT token with a future expiration date, using a jwtcrack tool i bruteforced the secret key , key is qwerty

awesome we got the secret key , now lets change the user from "dev" to "admin" and generate a new JWT token using jwt.io, with future expiration date (TimeStamp) i sucessfully created a token and added in the GET Request  with endpoint /api/notes

all we got was the cool Flag : nbCTF{FuN_W1th_Json_web_T0K3N}

Finally We finished to the top of the board