Brute-forcing secret keys
Brute-forcing secret keys
Brute-forcing secret keys using hashcat
Hashcat
Output format: <jwt>:<identified-secret>
If you run the command more than once, you need to include the --show
flag to output the results.
Lab
This lab uses a JWT-based mechanism for handling sessions. It uses an extremely weak secret key to both sign and verify tokens. This can be easily brute-forced using a wordlist of common secrets.
To solve the lab, first brute-force the website's secret key. Once you've obtained this, use it to sign a modified session token that gives you access to the admin panel at /admin
, then delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
Steps
Getting the JWT Token
Install JWT Editor extension in burp suite
Visit the website and login using username as wiener and password as peter
Capture and copy the JWT token
Brute force the jwt token using Hashcat and John
Creating and Signing tokens using the secret key
Go to JWT Editor Tab
Click on New Symmetric Key
Select Specify secret option and enter the key as "secret1"
Click on Generate button and click on Ok
Now, visit the /admin route and send the request to repeater
In the payload section change the sub value to administrator
Click on Sign button and click on Ok
Delete the user Carlos
Now copy the newly created token
Now in the proxy tab modify the jwt token to the new copied one and then forward the request
$$$
Last updated
Was this helpful?