JSON Web Keys (JWK & JWT) - "Emergency" - HackTheBox Business CTF

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody welcome back to another youtube video still looking at hack the box business ctf in the web category this time we're moving on to the challenge called emergency it's going to be a lot of fun so i have this emergency challenge kind of visible here you can see that the challenge prompts and information can be displayed clicking on this icon and it says you've been tasked with pen testing and engagement or with a pen testing engagement on a hospital management portable and they've provided you with a mock-up build of the website and ask you to break their jwt implementation and find a way to log in as admin ooh so we kind of immediately have a tip as to what we might be doing working with jwts or json web tokens and if you are not familiar with those we can go to uncle google ask him if he knows what's up and jwt a json web token is a compact url safe means of representing claims to be transferred between two parties it is a proposed internet standard for creating data with optional signature and or optional encryption whose payloads hold json that asserts some number of claims these tokens are either signed using a private secret or a public and private key okay interesting so we've showcased a couple challenges before even with stuff that we bring out with like nom con ctf and activity constant dtf grimcon et cetera you can view the jwt.io website where you can kind of work and tinker with what might be included in ajwt based off of a given algorithm and all that so now that we just have a little cursory introduction as to what we're looking at we can go work with this challenge the emergency challenge is a deployable docker instance i have learned my lesson from the previous video and just fired it up already here is our website the hospital that we're working with hanging out with these guys like grey's anatomy over here let's register a user seemingly and i can just enter a username and password and log in apparently looks like it registered cool and it's been weird i think to like redirect me to a different location uh but if we were to log in with that account we just created oh okay okay thank you lastpass in chrome i appreciate everything there's a lot of numbers going up there you guys are making money look at this this month's hunt this year's income guys we're in the wrong profession we should be doing like brain surgery log in as admin to see the flag here okay okay um is this me i'm dr robar smith nice robar smith robbed in uh let's check out the cookies because this is where i would think we would be able to see the jwt token it looks like there i see one present already off has this value that is base64 encoded i can see the eyj syntax which tells me okay based base64 decoding this you kind of have what would start to look like a json or javascript object notation uh with that said let's go spit this into jwt io and see what's going on oh so it explains this is a jwt with algorithm rs 256 jku oh the json web key has a set url to localhost uh so i'm assuming to that website itself.well known jwks.json ah the username uh payload is information here the test account that we just created iat the issued at x expiration time maybe we could mess with that a bit but we don't know how this was signed although we could determine it basically at least some information based off of that jwk uh json web key so if you aren't familiar with that we could google what's a jwk here's an rfc kind of describing it a little bit more information out and about auth0 has a really really good explanation if you wanted to read through the rfc you're totally more than welcome to um i think the auth one does a great job of explaining things a json web key set on jwks uh contains information or keys containing public keys used to verify any json web token or jwt nice typically you're using the algorithms rs256 and hs256 rs uses an asymmetric means that there must be a private key used ah and there certainly is that's something maybe we could use right auth0 exposes the jwk's endpoint for each tenant which is found at your domain dot well known jwks.json heck yeah can we access that because that is totally what we saw in our own cookie and json web token let's try and access that yeah okay okay so keys defined here rs256 uh value of e value of n so okay public key right we're just obviously going to end up looking at the at the public key uh could we change that could we could we specify sort of our own json web because normally if you have a classic jwt challenge often times the the structure and technique is you know decrypting or finding the password or key to be able to modify and change the payload and data um but if we could supply our own jwt with our own jwk our own set of keys public and private keys then we could maybe get a valid signature and just let the thing work i think that is a road that we could go down um i want to know if that is a valid technique i'm sure you can do some some research on this jwk attack vector attacks critical vulnerabilities attacking and securing uh exploit it's not really an exploit by any means there's a lot of stuff explaining vulnerabilities in jw key json web token oh there's something on hack tricks that's kind of handy i just tried to encourage uh researching right as part of the video so people know that's like legit part of the process do anyone talk about jwks no how about you jwk spoofing yeah yeah yeah patrick's has got us if the token uses a jku header claim then check out the provided url this should point to a url containing the jw kes file k-set holds the public key for verifying the token tamper the token to point the jku value to a web service that you can monitor traffic for you could do this with jw tool that's a good example you use kid does this explain it more no oh here they generate yeah oh yeah they have a little bit more stuff you need to create a certificate with new private and public keys okay oh do they just showcase like all of this me well we could generate our own public key your private key and maybe try this like in python or something gwt python they have pi jwt i feel like i've used them before like j w crypto jb crypto talks yeah okay so this has objects in here and this is kind of ended up what i what i did for solving this in real time you have objects and representations for using a web key and a web token so let's sort of synthesize everything that we're seeing here if we could generate our own private key let's do that i'll go ahead and city hack the box business etf we're in web emergency um let's make a directory for youtube and hop in there let's go ahead and generate our own key pair with openssl there we go okay it shows the valid e that we would have expected i'm going to view that here we can open it up but it's not going to be all that interesting to look at right yeah private key so jw crypto will actually let us go ahead and take a web key like if you check out the examples as you're exploring this option you can import a key from a pem file which is kind of why i want to go ahead and create that sort of thing so let's try with a tinker script i'll slap that in and we don't need those arrows to prefix what we would have been doing if we were in regular python ours is called key pair dot pem so now we have a key object representation if i were to actually go ahead and import this stuff uh jw crypto uh they have like their own sub classes and packages i think so jwk and jw jwt and jwk yeah because that'll reference the object from there how about that okay there we go theoretically we have a key now could we like export that sort of thing make a public key from it oh in fact exactly that if you had a key object you could then export it without a private key so you have a public key there is that right public key does that work yeah i suppose it does with a given kid kty everything that should kind of match what we were looking at previously yeah kty um i think that should work now if we were to make like the jwk key set with an s there we would basically have a dictionary and we would kind of define the keys to equal a dictionary full of keys with our public key right does that should that be json though let's take that uh unhatchable object why what is that going to be oh oh oh because it shouldn't be a dictionary it should be a list to find out there we go yeah so now let's print out our jwks to verify that we have those okay now we have keys perfect so that could act as our own jwks.json in all reality we just basically recreated this with our own private key uh a public key now that we've generated from our own so let's go ahead and create our own jwks file then uh we'll call like handle for h or whatever and let's go ahead and write so i want to make sure that's opened in write mode i should have made this larger for you i'm sorry let's go ahead and write the what is that going to be we took the json dumps so let's yeah load will bring it into object format and dumps will bring it into string format so let's dump that thing will that work yeah so that point i have a jwkes.json perfect that's our own private key that we've kind of created and defined now we need to make the jwt from that to pass that as our own cookie we so we've basically created the the private key and the public key and that public key is something that we'll host on our own server or again a web web server that we can control because then if we specify in the url field of this jwt kind of as we saw in here as part of the cookie then we could have it reach for whatever we really want right we could do that how can we craft a json web token checking out the documentation you could scroll through kind of the api functionality here but i think the examples might really work well for us they have a key they've exported it and then they can create a new token and serialize it oh just like that perfect um can we just basically use that the claim segment must be the actual data that we're working with so let's define a token [Music] that uses this algorithm [Music] um is the kid gonna be included the kid i know i call that a kid but what we need we need the jku to actually call back to us so jku and we'll set that actually to a web domain that i can control so let's go to john hammond.org um i guess like a temporary directory because we'll slap that in nj ks.json so the claims here should be the payload that we want so let's say username right would be admin i don't exactly care about the iat and exp but i guess i should let's yeah just for safety i suppose let's add those in but we can make the expiration date like crazy this is ten characters one two three four five five i don't know why i didn't type that there we go um is that everything we need what else did they do here they make the signed key can i print that out at least can i like verify that that's a working token okay oh so it's signed now hello hello sorry frantic windows running around it's not going to tell me why did that what did that all work what did that not work key what should be our private key should it not why would that not work does it need the kid kid is uh the key id can i showcase that anywhere yeah let's just serialize i want to when i create is that necessary you can specify it with like your key and then the key id but that still fails oh wait a second that should be rs not hs oh my gosh okay now we have the object i'm sorry i'm an idiot because i was using the wrong algorithm then we serialize this thing and print that out dot serialize that's all let's go ahead and print token.serialize and we have this which is our jwt now if i were to slap this into the webpage to view this stuff will that work algorithm jkukid do we need the type to be in there i think i want to make this match as close as i can to the original so they had typ type let's let's add that in try and parallel as much as you can the uh there we go yeah okay that looks good i think and then we would need to supply our own signature but we could do that theoretically should we do it we have our own jwks.json file now can i like pretty print this json validate no no i don't have the plugin installed we could word wrap this if we really wanted to but it's not going to look all that good so this is the syntax that will end up going into our website so let's go to a website that we can control that can be accessed externally out on the open internet realistically i should have private key set up for this i know it's okay you don't have to tell me um let's kill everything so i can just host on port 80. in case it does like weird stuff i had the password wrong there um i realize it i don't really consider this a production server by any means let's make a subdirectory for temp so that in the directory we can go ahead and like no no we need to just add in the jks.json file poop slap that in now we can host that with a simple web server listing on port 80 and i should use python 3 for that and i of course need to be pseudo to be able to do that and oh i didn't kill nginx i killed unicorn my reverse proxy wrapper but i didn't kill engine x what uh what is still running on 80 hello oh stupid okay nginx you just wouldn't did i typo it earlier or something i'm not going to freaking scroll through that anymore whatever uh let's check out jonathan jwks.json why ls temp oh no i need a stinkin s in there do it again okay now we have this and that should theoretically match the same sort of idea as this i don't have e oh no e is all represented in here but it's different it's not using the decimal version kty is set kid is set use sig is not set um let's make sure that we have that sorry uh what was that what was that in that's in the pro that's in the private should we just we can just freaking set that let's nano our whoa sorry made the screen size pretty small no i don't want to i wanted our temp temp attempts what is happening stop the tab complete um that is originally going to be in the innermost object so use should be set to sig yeah yeah yeah good enough let's uh let's play with it i suppose if i now were to take my private my my jwt token and then try and access that page with that being hosted could i actually reach it uh oh god dang it just take me there oh it was already on the page i just lost my clipboard oh i need to stink and register again well i guess i don't need to really register if i have theoretically a valid key val token so let's edit our cookie here i'm using a cookie editor plugin save this ctrl shift r to refresh the page and it died filled to establish a new connection connection refused why i literally just oh god dang it because the server wasn't running uh let's try that again algorithm type key error why did it not include the algorithm did it need the algorithm and let's go back to dot well known uh jwks.json this is kind of what this challenge was uh okay let's delete the cookie so we don't uh freaking keep dying oh yeah it's nil needed a friggin alg well you know what you know what you know what we should probably start to tinker with this on our own local thing rather than so aug needs to be rs 256 an actual rs not a hs like i previously erroneously typed that should now work and now let's nano our temp jwks kill that paste that in run it again and [Music] we should still have the same token because it's the same set of keys let's modify our cookie which we should now have excuse me oh yeah and it let's register so it's created and it's the right sinking cookie or something hurry up hurry up this is prime time hacking guys i'm just kidding refresh the page invalid exponent or indoor modulus why it's it was literally 65535 uh 65537 for our exponent and n is going to be relative to that is it just because it's base64 or something like this this is this is base64 is it not let me check let's do a little python python4 whoa i just jumped into the future real quick um i i don't know why don't i do that i just do it from the terminal i echo that into base 64 minus t 64 please forgot the four that time uh oh it's not gonna be printable gosh uh i needed base64 dude i am falling apart what what's going on let's decode that please don't tell me it needs to be bytes okay so you see this this are these are the bytes one zero zero zero one to maybe it's a good thing i maybe it's a good thing i actually included um banaski let's slap that in yeah so if that needs to be in decimal can i just take that and make it base 16. that that works it's stupid but again i guess if we're in the mentality of making this as absolutely close to the original thing as we could why did this not have our alg saved oh because it freaking rewrote it stupid because i had to rerun the script realistically i should have made these changes in the script to use that but who cares uh no i needed that to get the n value so the end value is still base 64. but this is url safe base64 you can tell by the hyphens and the underscores normally you see a plus sign or a forward slash since this is url safe uh we'll probably need to use a different decoding screen yeah yeah can i use the url safe no it's url safe then underscore base64 just like that will that work incorrect padding um let's just play pretend i'll add in other equal signs so the padding is fine there we go here's a decimal number because that's what you needed apparently maybe i hope um um that's gonna that this is stored on the our server so let's nano that oh my god paste that in start our server now we don't need to change the cookie because it's going to still access the same thing uh we've got the jwt token cookie set oh oh oh it did it it did it it did it that worked okay there's our flag wow that was probably more painful than it needed to be uh i guess we could have like messed around with like jwt tool or something but that's the flag and that's how you could do this in python uh if anyone's interested you could use this jw crypto library and kind of mess with this and make this kind of as much uh as i guess as fine grain as you'd like so the more you know knowledge for next time and a good learning into some decent documentation deep diving here for uh this library worth exploring we're taking a look at and i hope that was fun thanks so much for watching everybody thanks for sticking with me i know this was a bit of a longer one compared to the recent videos but that had just a bit more to it and it's kind of very cool to showcase some jwt or jwk stuff and i hope getting a little bit of that python flare in there uh is good so thanks you know what we should probably fix the the server let's uh i'm gonna just reboot so those like the regular web services come back online i'm dumb you shouldn't use your actual public website for ctfs but uh whatever thanks so much for watching everybody i really hope you enjoyed this video if you did please do those youtube algorithm things you know if i could like comment subscribe that would be super super appreciated if you'd like to support me i have a patreon and paypal in the description i'm so so thankful for your generosity and your donation your support and that's it thanks so much for watching this video everybody we're going to finish up the web category in the next video and then we'll move on to something else fun so thanks again i'll see you in the next video [Music] [Music] with

Info

Channel: John Hammond

Views: 65,565

Rating: undefined out of 5

Keywords:

Id: IlSe2o4ixAY

Channel Id: undefined

Length: 29min 9sec (1749 seconds)

Published: Thu Jul 29 2021