Hello flag catchers out there, I am starting here my first CTF that I would like to make available to you. I thought this would be fun and bring something to everyone and deepen the knowledge. If it works out, I will of course try to set up new challenges for you. Since these are kids steps, there is no ranking system or anything like that yet.
This CTF is all about JSON Web Tokens (JWT) and will show you real world examples of how they can be attacked. The target URL for each CTF is always https://ctf.collfuse.com, only the endpoint changes per stage. All flags are in the responses of the API you are attacking.
The tokens are provided in the scenarios where they are required. You can also obtain a token by sending a POST request to the following endpoint: https://ctf.collfuse.com/2023/05/token
If you need a hint anywhere or want to verify the flags, contact me on Twitter “@collfuse” or on Discord “collfuse#0771“.
Now hit the keyboard and press the mouse buttons, have fun!
JWT Attack – 25
For the first flag, I give you a token and an endpoint. Try to escalate to admin privileges on that endpoint.
eyJhbGciOiJIUzI1NiIsInR5cGUiOiJKV1QifQ.eyJhdXRoIjoiaHR0cHM6XC9cL2N0Zi5jb2xsZnVzZS5jb20iLCJpc3MiOiJodHRwczpcL1wvY3RmLmNvbGxmdXNlLmNvbVwvMjAyM1wvMDVcL3Rva2VuIiwiaWF0IjoiMTY4NDI1MjgwMCIsIm5iZiI6IjE2ODQyNTI4MDAiLCJleHAiOiIxNjg0MjU2NDAwIiwic3ViIjoiSldUIEF0dGFjayAtIENURiIsImZpcnN0bmFtZSI6IkpvaG5ueSIsImxhc3RuYW1lIjoiQXR0YWNrIiwiZW1haWwiOiJqb2hubnkuYXR0YWNrQGNvbGxmdXNlLmNvbSIsInRpZCI6IjZMT0syTU5HajU0a0J0dmlmbWxXIiwicm9sZXMiOlsidXNlciIsImhlbHBkZXNrIl19.YmVlYjA2YTgxNjk1MjI5YTZiMzhjZmY2MmQxYTdkMTdmOTQ5OTYzNDY0NjExZWQ0NTc2ZGE4MWYyODc1NDAxMQEndPoint: https://ctf.collfuse.com/2023/05/jwt_25
Methode: POSTJWT Attack – 50
Since you already found the first flag, let’s up the difficulty a bit. The goal is the same, try to escalate to admin privileges on this endpoint, but there is an additional hurdle to overcome.
eyJhbGciOiJIUzI1NiIsInR5cGUiOiJKV1QifQ.eyJhdXRoIjoiaHR0cHM6XC9cL2N0Zi5jb2xsZnVzZS5jb20iLCJpc3MiOiJodHRwczpcL1wvY3RmLmNvbGxmdXNlLmNvbVwvMjAyM1wvMDVcL3Rva2VuIiwiaWF0IjoiMTY4NDI1MjgwMCIsIm5iZiI6IjE2ODQyNTI4MDAiLCJleHAiOiIxNjg0MjU2NDAwIiwic3ViIjoiSldUIEF0dGFjayAtIENURiIsImZpcnN0bmFtZSI6IkpvaG5ueSIsImxhc3RuYW1lIjoiQXR0YWNrIiwiZW1haWwiOiJqb2hubnkuYXR0YWNrQGNvbGxmdXNlLmNvbSIsInRpZCI6IjZMT0syTU5HajU0a0J0dmlmbWxXIiwicm9sZXMiOlsidXNlciIsImhlbHBkZXNrIl19.YmVlYjA2YTgxNjk1MjI5YTZiMzhjZmY2MmQxYTdkMTdmOTQ5OTYzNDY0NjExZWQ0NTc2ZGE4MWYyODc1NDAxMQEndPoint: https://ctf.collfuse.com/2023/05/jwt_50
Methode: POSTJWT Attack – 75
You’ve made it this far, well done! So we’ll up the difficulty a bit. The goal is still the same – try to escalate to an administrator account on this endpoint, but this time you will have to jump through a few more hoops.
eyJhbGciOiJIUzI1NiIsInR5cGUiOiJKV1QifQ.eyJhdXRoIjoiaHR0cHM6XC9cL2N0Zi5jb2xsZnVzZS5jb20iLCJpc3MiOiJodHRwczpcL1wvY3RmLmNvbGxmdXNlLmNvbVwvMjAyM1wvMDVcL3Rva2VuIiwiaWF0IjoiMTY4NDI1MjgwMCIsIm5iZiI6IjE2ODQyNTI4MDAiLCJleHAiOiIxNjg0MjU2NDAwIiwic3ViIjoiSldUIEF0dGFjayAtIENURiIsImZpcnN0bmFtZSI6IkpvaG5ueSIsImxhc3RuYW1lIjoiQXR0YWNrIiwiZW1haWwiOiJqb2hubnkuYXR0YWNrQGNvbGxmdXNlLmNvbSIsInRpZCI6IjZMT0syTU5HajU0a0J0dmlmbWxXIiwicm9sZXMiOlsidXNlciIsImhlbHBkZXNrIl19.YmVlYjA2YTgxNjk1MjI5YTZiMzhjZmY2MmQxYTdkMTdmOTQ5OTYzNDY0NjExZWQ0NTc2ZGE4MWYyODc1NDAxMQEndPoint: https://ctf.collfuse.com/2023/05/jwt_75
Methode: POSTJWT Attack – 150
Well done, my companion! If you’ve made it this far, are you ready for the ultimate challenge? I promise you, this one is not as easy as the others. You can see it from the score, this one will challenge you. However, the requirements are the same again, try to escalate to administrator privileges on this endpoint. This time you only get the endpoint from me, good luck!
EndPoint: https://ctf.collfuse.com/2023/05/jwt_150
Methode: POSTI hope you enjoyed the CTF, please let me know if you find any bugs. If you want more of it, let me know. The contact channels are above.
Until then, keep capturing flags, I am out.
** midjourney string “Upltra realistic hackers holding victory flag above head, waving in celebration, notebooks with stickers in hand, wearing black, server room behind them, color smoke. group shot“
