Step 1 – Explore Available Commands
Start by running the help command in the terminal to see what actions are available.
Step 2 – Log In as the Guest User
Use the provided login command to authenticate as the guest user. The server responds with an automatically generated JWT.
Step 3 – Decode the JWT
Head to jwt.io and paste the token into the decoder. Inspect the payload section — you'll see something like:
{
"username": "guest",
"role": "user"
}
Our role is user. To access the admin panel, we need to change this to Admin. However, we can't just edit the token — the signature will break unless we sign it with the correct secret key.
Step 4 – Brute-Force the Secret Key
Since JWTs signed with HS256 use a symmetric secret key, we can attempt to crack it using Hashcat with a wordlist:
hashcat -a 0 -m 16500 <your_jwt_token> <path_to_wordlist>
-
-a 0— dictionary attack mode -
-m 16500— hash type for JWT (HS256)
The secret key is revealed: windows98
Step 5 – Forge a New Token
Now that we have the secret key, go back to jwt.io and:
- Edit the payload — change
"role": "user"to"role": "Admin" - Enter
windows98as the secret in the Verify Signature section - Copy the newly signed token
Step 6 – Access the Admin Panel
Use the forged token to send a request to the protected admin endpoint:
GET /admin/panel -H 'Authorization: Bearer <forged_token>'
Flag
jctf{w1nd0ws98_1s_th3_b3st_0s_3v3r_937cn2}
Top comments (0)