Post

FetchTheFlag CTF 2023-Web-Jott

Posted
By Sirawit Loywirat 1 min read

Jott - Easy

Description

Author: @HuskyHacks

Jott is the new hottness of productivity applications! Collaborate in real time, share notes, take notes, or don’t take notes! We’re not your manager. We’re not even a real company!

Go ahead and pentest the application and jott down whatever you find.

We’d like you to do a pretty thorough job, so we’ve outfitted you with a dev instane of the app. Please use these user level credentials to log in and perform an aunthenticated test.

Username- john_doe
Password - password123

We also gave you the dev-build of the app in the src directory for reference.

Press the Start button on the top-right to begin this challenge. Psst, Snyk can help solve this challenge! Try Snyk!

Connect with:
http://challenge.ctf.games:31399

Attachments:  src.zip

Solution

  1. Login with credential that the challenge gives. [Jott]
  2. After that, I checked the cookies in this website and found JWT cookies.
    JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqb2huX2RvZSIsInJvbGUiOiJ1c2VyIn0.pNGsWOaNM05ak48_gkmNBuHjIHLQr6LP7G4hWeue_0k
  3. Decode JWT cookie wit https://jwt.io/:
    [Jott1]
  4. In Payload session, There are sub and role. I have to change the "role":"user" to "role":"admin" to get the flag. And I need the secret key to encode my new token. SECRET_KEY = "jott123!" the secret key can be found in the source code.
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

    @app.route('/dashboard')
def dashboard():
 token = request.cookies.get('jwt')    
 if not token:
     return redirect('/login')

 try:
     # Decoding the token
     decoded_token = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
     username = decoded_token.get("sub")
     user_notes = users_notes.get(username, [])
     if decoded_token.get('role') == 'admin':
         # Read the content of 'flag.txt'
         with open('flag.txt', 'r') as file:
             flag_content = file.read()
         return render_template('admin_dashboard.html', flag=flag_content)
     else:
         return render_template('user_dashboard.html', notes=user_notes)
 except jwt.ExpiredSignatureError:
     return redirect('/login')
 except jwt.InvalidTokenError:
     return redirect('/login')
  5. Change JWT cookie to the new one [Jott2]eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqb2huX2RvZSIsInJvbGUiOiJhZG1pbiJ9.MadImr4OZn1SHxbQMIs7PQ4OV7VBAFkDpIHuqv3am_c
    DONE![Jott3]

Flag: flag{c7cc7fa86330cff2c09cea0055289b7e}

Writeups, FetchTheFlag CTF 2023
CTF Web JWT easy
This post is licensed under CC BY 4.0 by the author.