JWT Key Confusion & Nunjucks SSTI - "Naughty or Nice" [Day 5: HackTheBox Cyber Santa CTF]

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Your video is very easy to understand (for me at least). You deserve a new subscriber.

👍︎︎ 3 👤︎︎ u/BrownCurtain123 📅︎︎ Dec 10 2021 🗫︎ replies
Captions
in this video we're going to take a look at the naughty or nice challenge from the recent hack the box cyber santa capture flag competition if you haven't seen already i did videos for the first four days of the competition so there was a challenge from each category released each day but when it came to day five we only had like a quarterly amount of time to solve the five challenges and the difficulty had been stepped up quite a bit so i actually only got the web challenge finished before the competition ended so that's what i'm gonna run through now but i might do some of the other challenges as well some of the other day five challenges we'll see how it goes anyway the description for this one says all the santa's nice elves have been added to the naughty list by the wicked elves and santa is mad he asks you to hack into the admin account of the naughty or nice portal and retrieve the magic flag that will let santa finally banish the evil elves from the north pole again we've got some files to download here and we've got a service connect too i'm just going to go through this as i kind of solve the challenge so i didn't jump straight into the source code i went to play around with the functionality first of all see if i could identify what area we need to focus on and then whenever i got stuck i went and had a look through the code to try and see exactly what the vulnerability was so yeah let's go through it in that order let's take a look at the site first of all so in the center of our screen here we've got this card which if we highlight it's got a hand instead of a normal cursor and if you click on that we can open up the nice list and the naughty list with a list of the elves names in there no other functionality that we've got there in a moment but it's worth bearing in mind we don't really need to look at the source code here because we've got access to the full source for the server side as well so let's just go and try to log in we've got this login form enter a username and password let's just try the usual admin admin and we get invalid username or password let's try our standard kind of sql injection then so i'm just going to make this a bit more visible get rid of that password type so it shows the data and we can do something like or try that out just to see if we've got an easy sql injection we don't we could also go and try to see if there's some kind of blind sqli here we can take a copy of the post request and go and just create a put this in a file new dot request or you can call it whatever you want we'll feed this into sql map so we can pass in new dot request just hit yes for all the default options i'm just going to try for various blind sql injection types it doesn't find anything on either of the two parameters there so it says we could try some other things we could try tamper space to comment or we could use a random user agent or we could increase the level of the risk i didn't i did try to increase the level i think and do the tamper space but there was no no change anyway so let's go and see what else we can do here we've got an option to create an account so let's try to create an account i normally just try to create one with admin note that as soon as i put an admin there it came back with a red box i don't know okay let's try it anyway admin admin we tried to create we get username already registered it seemed like it was checking the username on the fly there but maybe not because whenever i put in another username it's still red all right so we'll just do something else just say admin one instead create the account and we'll try to log in admin one and admin the reason i put that to admin one rather than like cryptocurrency like that is dependent we don't know what the vulnerability is here yet but there could be something whereby we only need to say if the username is encrypted into a cookie if we just have one character that's different to the admin user there might be some kind of like pad busting attack or something you can do there but we get in anyway it says access denies you shall not pass and the only option we have is to log out have a look at the source code and nothing of interest but we can go and have a look at the source code in more detail in a second anyway let's also have a let's see if it created a cookie have a look at our storage here and it did it looks like a json web token so we can put that into burp suite into the json web token converter oh didn't get the whole thing you can also take it to something like jwt.io as well i'll actually just show that briefly but you can see here it's it's showed us the headers the algorithm that's being used and then we can see the payload as well so we've got a username we've got a public key in here and then i guess the initial access time or something and then we've got the signature here so see here invalid signature wrong key claim failed let's go over to jwt.io as well we can insert this here same information we can go and basically go and try you can see it says invalid signature at the moment so if we were going to go to try and update this to admin we would need to make sure we have the keys here in order to make sure it will be validated properly we can't just change this to admin uh base64 encode it again and expect it to work but we can go and have a look and see what type of vulnerabilities exist let's go to hack tricks jwt and you can see here then we've got a range of options down the right hand side here of potential attacks we might be able to run on it and the first thing is here we've got this jwt tool which is recommended as a tool which you can just kind of run various tests on to see what kind of vulnerabilities there might be with it with the json web token you can also use it for tampering and stuff like that as well you can see here modifying without changing anything we can try and change the algorithm so for example change the algorithm to none instead of i think it was rsa rs256 so we could try and change its non or we could try and change it to hs256 or something else as you can see here change to algorithm and the reason for this being the algorithm hs256 uses the secret key to sign and verify each message rs256 uses a private key to sign a message and a public key for authentication if you change from rs256 to hs256 the back end code uses the public key as a secret key and then uses the hs256 algorithm to verify the signature then using a public key and changing rs256 to hs256 we could create a valid signature so that sounds interesting just because we know that it is using rs256 let's go and check out this jwt tool and see what we can do with it you see it will test for a variety of known exploits see the cvs here and this is kind of what was mentioned there the swapping between the two algorithms changing algorithm to none we can also potentially crack secret keys and stuff on depending on the algorithm used but let's download this and test out so we'll do get clone make sure you've got all of these python packages installed we've got our usage here we can also provide a url so we can actually go and test urls if they provide a json web token for example common workflow so it gives a suggestion of how to approach a challenge so if you come across a challenge like this where you see a json web token download this tool and just follow this do some recon do some scanning if you find something do some exploitation some fuzz in some review and you've got a general methodology that you can follow here let's go and try this out let me take a copy of our json web token let's go into the jwt tool we've got our python jwt tool script to run run that we get some okay it doesn't there we go we get some options of how we can use it as we can give a url as we mentioned before in this case i'm just going to provide the json web token and just see what we get from doing that so it comes back with the current values in the header and the payload and that's about it didn't give us any okay didn't give us anything else let's have a look at the help menu again bringing the help menu we can use exploit so dash capsule x and then we can specify do we want to try it with the no algorithm do we're going to try null signature do we want to try and spoof want to do some key confusion specify public key with pk okay that's interesting uh let's try and run that with dash x i think dash x a to run all is it or oh no that'll do alg none all right let's try it with none anyway dash xa okay so it gives us some different signatures here okay now they all look like the same signature but we'll go and try it anyway just going to update this in the cookie and your developer tools you can also just do it through burp suite as well so if we go to our proxy tab here and select one of these requests you see we have a lot of firefox settings attached stuff here and then some stuff to google apis github stuff that we're not going to be interested in for doing this challenge by the way so you can just go ahead and select the challenge url here right click it and go add to scope and then you can see a scope here going to target scope and okay want to change that slightly because that's only gonna it's considering the directory as a scope as well let's just set the scope to be this url let me remove that i don't know why i have oh do not delete okay i'll not delete it all right so we go back here we've still got a lot of stuff in our http history if you want to get rid of that just click this filter and say show only in scope items apply and now the only thing we're going to see is stuff that's going to and from this url so we don't want to see any hat tricks or github or hack the box stuff we're only going to see this challenge all right and that means that whenever you are sending stuff here this should have uh there's a json web token here so you can intercept requests and just basically send update the json web token here as well to test this out for example we have this get dashboard so let's send that to [Music] our repeater and then in the repeater we could just go and update our json web token here so we'll grab this one we'll grab that we'll replace this here we'll send it off and we've got okay we need to follow the redirection here follow redirection yeah all right you can open you could right click this then open and browse or request show response in browser i think by this stage is probably better off just modifying it through the developer tools all right all right just forget this so the json web token didn't work anyway it took us back to the login page and it actually deleted our token so we could add a new token here we can just add a token and just change this to session and we could put in our json web token actually let's put in our original one so this is the unmodified one refresh the page okay that didn't log us in all right well that's fine i'm gonna log in again we don't really need to but okay and next up we're gonna want to try some of these other attacks then for example this one seemed to be of interest i am just going to go and have a quick look at the code here not necessarily needed but let's just go and try and understand a bit more what's going on in the background this jwt tool i shouldn't really put that in the same directory list have a look at our server codes we've got a build docker script if we want to run this locally we can do our flag is going to be here as well so we know this is how we're going to try to retrieve our flag it's going to be in it's going to be one directory up from our challenge and if you're going to have a look at our challenge let's see if we got anything supervisor no okay gonna have a look at a challenge we've got a database.js here which is always interesting we can see the username and password has been put in here of the admin an admin password which we don't know we've got elves being put into the nice or naughty and we've got some functions here to register where the username and password will be put into the database we've got a login where it's going to grab the username and password so this is where we were testing for that sql injection although there was sql injection on one of the earlier web challenges in this competition so it could be reused but it's unlikely to see the same vulnerability come up again and we've got get user and then list names we're going to select all from nice or naughty and then edit name as well so let's select all from nice or not he's probably back to our home page where we had the card filled with those elves and then we also have this edit which i didn't see an option for have a look at index.js here nothing of interest note that it's using some of the things it's using here so we've got nun jokes we've got cookie parser so maybe there's some vulnerabilities in some of these libraries let's go and have a look at our pages we've got admin we've got card we've got dashboard login register and settings update account information this isn't an option i've seen so far and obviously the admin we're not we're not going to be able to access let's go and have a look at the roots immediately notice that it's using these helpers so we're going to take a look at those in a second the json web token helper and the card helper we can make a get request on the home page which is gonna we've got this card generator we're gonna have a look at that in a second but it's basically gonna print out all those uh naughty and nice elves on on that card that we looked at we've got a login we've got a register which we've looked at we've got a dashboard which is where we are at the moment we've got this api elf list note that if we try to call this try to make a get request it says here if the username is not admin it's going to say response denied so if we go and try and enter that access denies yep okay so we need to be admin in order to get to the elf list and we also need to be admin in order to edit an elf so we'll have a look at those in more detail first sorry not first later because obviously we first need to make sure that we're admin before any of that function any of those functions going to be of any interest although let's just go and have a quick look and see what this was doing here the generate card this is part of this help us we've got json web token helper we've got a card helper the card helper is loading the elves in the elf list printing out all the elves which are naughty or nice then it's gonna create this card and it's calling resolve nunchucks dot render string so this is interesting we'll have a look at it later though just bear that in mind and let's have a look at the json web token helper okay so we can see here that for sign in the json web tokens it's going to use the rs256 algorithm and for verifying it has either algorithm specified so it should be using rs256 for both of these but for some reason they are saying that you can also use hs256 it will be accepted so that vulnerability that we were looking at there sounds like it's quite plausible because we know that our json web token let's go back to burp has this public key in it and it's telling us that using the public key and changing from rs256 to hs256 we could create a valid signature so maybe we can do that and we can go and modify the username from admin 1 to admin and swap the algorithm and use our public key to sign it and see if that'll give us admin access okay first things first we're going to want to save that public key so i don't still have the js jwt dot io open let's get it from burp suite i think it was in a slightly better format but this is fine as well so okay it's really not fine all right i'll copy it like this and then we'll just modify it a bit so we're going to call this key.pub paste this in here and we want to just separate this out so we've only got the public key we want to change these new lines into actual new lines so i'm going to do ctrl h for find and replace will replace new lines with new lines but i'm using the regex mode here so we just need to escape this backslash n here you see it's now matched those we'll hit replace all and we've got our key one thing to mention make sure you don't have a new line at the end here i did have a new line whenever i was trying to solve this because i know with ssh keys uh you get some problems if there isn't a new line quite often at the end all right well that's that created anyway so let's try and run python jwt tool let's grab our original token and we can let me bring up the help again so we're going to want to sign this we're going to change the algorithm it's signed with and it's telling us that we're going to want to specify a key so we're going to be changing this to hs256 we'll try the hmac in and we also want to tamper with it so we want to go and modify the name so let's try and run dash s256 it's the signing algorithm we want to use dash k for key public oh it's not doing auto complete with that all right key dot pub and then dash t because we want to tamper and we're at the header here it's asking us do we want to update any of these header values we do we want to change the algorithm to hs256 hopefully that doesn't matter if it's case sensitive i'm assuming it doesn't continue the next step we've got our payload and we want to change the username from admin 1 to admin so we'll put in here admin 0 to continue it prints out our tampered token using hmac sign in so we'll go back to the not your nice portal we'll hit f12 we'll replace our session cookie and refresh the page and we're taken through to this new dashboard which has a list of these elves showing that these ones are all naughty and we finally have the option to edit them okay so now that we've got through this part we can go back to our code and have a look at this cardhelper.js remember i mentioned this none jokes and the render string was interesting and this is a type of vulnerability known as server side template injection let's search here ssti get a list of payloads that we can test out here you can see down the side there are various different languages some of them are php python java javascript and in terms of the vulnerability here port swiggers resources are always great for checking this stuff out so you've got labs and you have kind of just guides and cheat sheets as well for like xss and sqli and stuff like that so if you want to learn about ssti in more detail go and read to this there's no point me just reading through the whole thing but in general a server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template which is then executed server-side so let's go and have a look at some general syntax here it will vary from language to language but quite often something like this will give you an idea so depending how this comes back will depend what language is being used so for example in some cases if you do like seven times and then the text seven it'll come back with seven seven seven seven seven and other languages whenever you do that it'll come back with 49. so this is normally one of the first things that i would try here so we'll go and update the name to seven times seven and insert inside these curly braces but we don't get back any we're expecting this to execute and bring back 49 which it doesn't so i was a little bit confused about this for a while and i had to go back and review the code at the time if we go and have a look uh is it the elf list okay so i think this is what's being called at the moment it's just calling elf list let's have a look at the proxy yeah api elf list so this is just calling get elf list and note that whenever that's called it's not actually doing anything with the it's not calling render template or render string or whatever it's being called if you go back to our card helper this is on the generate card render string and this was the card that we saw at the beginning so let's go and open up another page and let's not the dashboard let's go back to the home page let's click on our card and we've got this elf on the naughty list called 49 so the seven times seven that we've entered has been executed and it's brought back 49 so that's great we know we've got code execution here what we want to do is go and find a payload specific to none jokes which is going to be able to either get us a shell or retrieve the flag or do something like that so we'll just search here nun jerks ssti you can search ssti payloads something like that you'll find a couple of articles here about specifically with non-jokes actually whenever i search this it's always funny how the different results i get with google let's go back we go back to google and we've got one from john hammond there so it was a previous hack the box challenge which had none jokes template injection so we go and have a look at that what i was specifically thinking about there was one of xdf's walkthroughs for a hacked the box machine let me try and grab it so these walkthroughs for hack the box machines in my opinion the best write-ups that you'll you'll find if you like watching videos for hyperbox machines then you've got ipsec if you like watching videos you've got very little time then you've got xct and if you like write ups you've got xdfs although xdf has been doing some youtube videos recently as well which i'd recommend checking out so some of the run code challenges and stuff which were less focused on security more just general kind of programming although i think there's been some security style walkthroughs as well but yeah let's go and have a look and see what payload they used in this example you can see they did the same thing seven times seven is 49 and then they found an article this post here which is actually yeah this is the one that i already had up as well so you can go and have a read through this and see how they put the payload together i actually just grabbed it from xdf's guide so let's go and submit this as the name let's try to reload this card uh okay need to refresh the page i guess there we go alright so the card is now showing and now has the etc password file being displayed so that's great we've got execution let's go and try and modify the command a little bit so here we can say ls dot slash we'll refresh the page again we can see flag.txt is there so one last time we can update our command and say cats oh missing a quote cats dot dot slash flag dot txt refresh the page oh something went wrong i've got too many quotes in there and it's in the wrong place as well or is it maybe that was a double quote there double quote there and then a single quote try that again better and there we've got our flag you can't see it very well so you might want to go to inspect the element and then you can grab it from here but that's this challenge solved a final reminder as well that there will be a live stream from the box on the 14th of december going through some of the challenges from from the competition with lots of awesome creators so definitely check that out i'm not too sure if i'll do any more videos from this ctf but uh we'll see and if you have any questions or comments leave them down below thanks
Info
Channel: CryptoCat
Views: 875
Rating: undefined out of 5
Keywords: SSTI, Nunjucks, JWT, Json Web Token, key confusion, hs256, rs256, JWT tampering, cookie tampering, RCE, Cyber Santa, HackTheBox, Hack The Box, HTB, Capture The Flag, CTF, Web, pentesting, pen-test, bug bounty, hackerone, synack, burp suite, jwt_tool, JWT forge, web token attacks, injection, red team, ethical hacking, SQLMap, SQLi, vulnerability assessment, CVE, burp, code review, vulnerability, exploit, hacking, cracking, crypto, decode, MITM, phishing, learn, tutorial, john hammond, offsec, liveoverflow, vuln
Id: tV7C6HSrtm4
Channel Id: undefined
Length: 25min 23sec (1523 seconds)
Published: Fri Dec 10 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.