After register and login we will have a JWT, and we need to be admin to get the flag.
This is how JWT looks like:
At first, I found that I can replace jku to my own server, so I implemented a simple server to return the key. Unfortunately, it keeps return error which said that it can not find a suitable key. I stuck here for a long time and have no idea how to proceed.
Then, I noticed a very important part in the error message, part of jwk are included in the response. So I tried to change the JWT kid to another random string, here is the error message from server:
JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"kid":"HS2561","alg":"HS256"} from JWKs [org.jose4j.jwk.OctetSequenceJsonWebKey{kty=oct, kid=HS256, alg=HS256}] obtained from http://localhost:8080/secret): JsonWebSignature{"kid":"HS2561","alg":"HS256"}->eyJraWQiOiJIUzI1NjEiLCJhbGciOiJIUzI1NiJ9.eyJqa3UiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvc2VjcmV0IiwiZXhwIjoxNjE3NTMwOTkyLCJqdGkiOiJCREFjSTZ1V0p5X0tvdmhTWnN6WW5nIiwiaWF0IjoxNjE2OTI2MTkyLCJuYmYiOjE2MTY5MjYwNzIsInN1YiI6ImV3ZWlvZmpld29pZiJ9.G_4j1QH9RoiSkv59rmZz0gtNFKPath-Bi8J4_dQmevo]
Great! Now we know the kty is oct, no wonder kty=RSA keeps throw error.
Now we know the correct kty so we can create our own jwk server:
JWT
Description
Writeup
After register and login we will have a JWT, and we need to be admin to get the flag.
This is how JWT looks like:
At first, I found that I can replace
jku
to my own server, so I implemented a simple server to return the key. Unfortunately, it keeps return error which said that it can not find a suitable key. I stuck here for a long time and have no idea how to proceed.Then, I noticed a very important part in the error message, part of jwk are included in the response. So I tried to change the JWT
kid
to another random string, here is the error message from server:Great! Now we know the kty is
oct
, no wonderkty=RSA
keeps throw error.Now we know the correct
kty
so we can create our own jwk server:We can sign a new JWT with
sub=admin
by using this secret key, and get the flag.reference: