Line CTF - 2024

x2 Web

jalyboy-baby - Web

Page with JWT, the objective is to log as admin The secret is of 32 bytes, so its not bruteforzable

Algorithm none supported, just tamper the jwt with alg = none and sub = admin

jalyboy-jalygirl - Web

Same as before, but... This time we get a jwt signed with ES256: eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJndWVzdCJ9.B2Ox_SjK9HRgAq4Td6CxATVI2bQ1rNOXovjvG1uGdh6i4UZqe5zcn7fc2EEvs0ZOtON5SIeseO2DKjjtzruq2g

Theres a vulnerability in some java versions (15-18) in which singature of ECDSA is not properly validated, here the post: https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

We can tamper the actual payload signature with: eyJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJndWVzdCJ9.MAYCAQACAQA

We validate that we still are guest, so its vulnerable

Then we tamper it as admin, and thats it

PreviousDice CTF 2024

Last updated 1 year ago