NullCon HackIM 2018 web4 — The fast way?
The HackIM 2018/NullCon CTF just wrapped up. PentesterLab wrote 3 challenges for this CTF:
- “JWT V” (web4) worth 200 points
- “JWT VI” worth 400 points
- “CBC-MAC” worth 200 points
Few people complained about JWT V being too hard. More specifically there was too much guessing involved. This was a big surprised as this challenge seems pretty easy. And I also hate challenges with a lot of guessing, so I avoid creating them. Unfortunately, I only got to speak to few people at the end as I was travelling. Fortunately, this was enough for me to realise where the main problem lies: few people had a very slow feedback loop when trying to brute force
Disclaimer: The goal of this write-up is only to highlight the different ways to solve this specific challenge. A lot of people playing CTF are doing it to learn and it’s completely normal to struggle when trying to solve challenges. I thought this specific example was really interesting (especially since everything could be done without writing any code) and that’s why I decided to write about it.
This challenge was inspired by the hacker movie Sneakers.
The index page of the challenge looked like this:
And accessing the page was giving you this response:
Without the hints just looking for “Setec Astronomy” (text visible in the page) should have give people a good idea of what part was supposed to be guessed.
The following hints were available:
- a Youtube video:
- a Tweet:
The slow way
When discussing with people, I found out that few people were doing the following to solve this challenge:
- go to https://jwt.io
- paste the token provided
- change the token to set the username to admin
- change the secret
- modify the cookie in their browser
- reload the page
With this method to test another secret, you need to go through steps #4, #5 and #6. This is pretty slow and very time consuming. You need to change windows, copy/paste data around (always error-prone), wait for the server to respond (can takes time during a CTF if someone else is brute-forcing it)…
Obviously, some people were using variations of this (like using curl instead of their browsers).
The faster way
The interesting part here, is that the process to be way quicker isn’t that different:
- Go to https://jwt.io
- Paste the token provided
- Change the secret
- Check if the site displays signature verified
With this option, you only need to do step #3 and #4 to test another secret. Furthermore, the site does it automatically for you.
Once the site display “Signature verified”, you can go through the final steps (only once this time):
- Change the token to set the username to admin
- Modify the cookie in your browser
- Reload the page
I was also surprised that few people didn’t expect that the secret could contain spaces… Never make assumptions!
Obviously, writing code or using Hashcat would have been faster. You could also have used a tool written by one of PentesterLab PRO subscribers (https://github.com/ticarpi/jwt_tool).
When working on a CTF challenge, if you find yourself struggling too much on a challenge that is supposed to be easy, ask yourself:
I’m doing it the right way, or could I find an faster way?
If you can get a quick feedback loop when testing something, you will be way faster!