Skip to main content

Training Update v0.88

blank
blank

Thursday is here and it’s time for more THM!

Today we will continue with the JWT Security module which we started yesterday.

We got to section 5 (Signature Validation Mistakes) task 3 which was throwing me off but we shall try to smash this out today.

We finally managed to complete question three with ALOT of trial and error (cyberchef did not work as advised within the task) so I used https://base64.guru/standards/base64url/encode which seemed to work no problem which makes me wonder why the other didn’t..

blank

Flag – THM{fb9341e4-5823-475f-ae50-4f9a1a4489ba}

blank
blank

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIiLCJhZG1pbiI6MH0.yN1f3Rq8b26KEUYHCZbEwEk6LVzRYtbGzJMFIF8i5HY:secret

blank
blank

Flag – THM{e1679fef-df56-41cc-85e9-af1e0e12981b}

blank
blank
blank
blank
blank

Flag – THM{f592dfe2-ec65-4514-a135-70ba358f22c4}

blank
blank

Flag – THM{a450ae48-7226-4633-a63d-38a625368669}

blank
blank
blank
blank
blank
blank
blank
blank
blank

Flag – THM{f0d34fe1-2ba1-44d4-bae7-99bd555a4128}

blank

Thank god that’s over, this module stressed me out. I’m still not 100% on JWT however I feel a have a far greater understanding of how they now work but still feel as if I should know more from the amount of time I spent on this one room. I also feel that the module has conflicting wording when It comes to describing some of the items within, for instance they use the word ‘claims’ for payloads which is misleading and various other wording within the room/module (Kind of the way I use room/module interchangeably) but this is my blog and I’m not trying to teach the subject to anyone for a paid subscription pricing plan.. and this room is only 198 days old so yeh.

blank

Now we move on to the OAuth Vulnerabilities room on THM!

blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
def oauth_login(request):
app = Application.objects.get(name="CoffeeApp")
redirect_uri = request.GET.get("redirect_uri", "http://bistro.thm:8000/oauthdemo/callback")
authorization_url = (
f"http://coffee.thm:8000/o/authorize/?client_id={app.client_id}&response_type=code&redirect_uri={redirect_uri}"
)
return redirect(authorization_url)
blank
blank
token_url = "http://coffee.thm:8000/o/token/"
client_id = Application.objects.get(name="CoffeeApp").client_id
client_secret = Application.objects.get(name="CoffeeApp").client_secret
redirect_uri = request.GET.get("redirect_uri", "http://bistro.thm:8000/oauthdemo/callback")
data = {
"grant_type": "authorization_code",
"code": code,
"redirect_uri": redirect_uri,
"client_id": client_id,
"client_secret": client_secret,
}
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': f'Basic {base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()}',
}
response = requests.post(token_url, data=data, headers=headers)
tokens = response.json()
blank

http://coffee.thm:8000/accounts/login/?next=/o/authorize/%3Fclient_id%3Dzlurq9lseKqvHabNqOc2DkjChC000QJPQ0JvNoBt%26response_type%3Dcode%26redirect_uri%3Dhttp%3A//bistro.thm%3A8000/oauthdemo/callback

blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank

Flag – THM{GOT_THE_TOKEN007}

blank
blank
blank
blank
blank
blank
blank
blank
blank

kwoy5pKgHOn0bJPNYuPdUL2du8aboMX1n9h9C0PN

Victim –

blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank

Flag – THM{TOKEN_HACKED}

blank
blank
blank
blank
blank
blank
blank
blank

Until next time & don’t sleepwalk through life!

Selamat tinggal