For full text search please use the '?' prefix. e.g. ? Onboarding

Secrets

Scenario

You’re a senior cyber security engineer and during your shift, we have intercepted/noticed a high privilege actions from unknown source that could be identified as malicious. We have got you the ticket that made these actions.

You are the one who created the secret for these tickets. Please fix this and submit the low privilege ticket so we can make sure that you deserve this position.

Here is the ticket:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmbGFnIjoiQlRMe180X0V5ZXN9IiwiaWF0Ijo5MDAwMDAwMCwibmFtZSI6IkdyZWF0RXhwIiwiYWRtaW4iOnRydWV9.jbkZHll_W17BOALT95JQ17glHBj9nY-oWhT1uiahtv8

Solution

The format of the token is clearly a JWT token. The first part is the header, the second part is the payload, and the third part is the signature. To get the data, we can use jwt.io to decode the token:

{
  "flag": "BTL{_4_Eyes}",
  "iat": 90000000,
  "name": "GreatExp",
  "admin": true
}

  1. Can you identify the name of the token? (Format: String) (2 points)

    Answer: JWT

  2. What is the structure of this token? (Format: Section.Section.Section) (2 points)

    Answer: Header.Payload.Signature

  3. What is the hint you found from this token? (Format: String) (2 points)

    Answer: _4_Eyes

  4. What is the Secret? (Format: String) (2 points)

    We can attempt to brute force the secret since we know the weak HS256 algorithm is used:

    $ npm install --global jwt-cracker
$ jwt-cracker "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmbGFnIjoiQlRMe180X0V5ZXN9IiwiaWF0Ijo5MDAwMDAwMCwibmFtZSI6IkdyZWF0RXhwIiwiYWRtaW4iOnRydWV9.jbkZHll_W17BOALT95JQ17glHBj9nY-oWhT1uiahtv8"

# IDEA:
$ hashcat -a 3 -m 16500

    I ran this for quite some time and it didn't find anything, so we have to pick another avenue of approach.

    I read somewhere that _4_Eyes is actually a site user that contains useful information...

    I tried searching for inurl:_4_Eyes to look for users, but the only hit was porn. When I searched for "_4_Eyes", there was one site claiming to have the answer, but we don't cheat!

    Then I looked up "Eyes" on the BTLO Leaderboard to see if that was a site user, and there is someone with the username FourEyes. Unfortunately they are a new user as of May 2023, and the challenge is much older, so that isn't relevant.

    Answer: ``

  5. Can you generate a new verified signature ticket with a low privilege? (Format: String.String.String) (2 points)

    Answer: ``

Tags

  1. jwt (Private)
  2. easy (Private)
  3. 10 points (Private)