Moar Horse 4

Web [80 pts]

After visiting the site, we are given an option to buy a horse and ‘race’. The goal of this challenge is to beat the boss horse by having greater speed.

We are also given the source code for this challenge, showing how the logic is being done to calculate speed as well as information about our tokens.

It looks like we need to find a horse name with it’s md5 hash being greater than the boss horse. We also notice that we are given a JWT, when decoded, gives us:

An interesting piece they also give us is the public key used for verifying JWT tokens.

There is a well known vulnerability for RS256 JWT when given a public key. That is, we can convert RS256 -> HS256 and use the public key to generate a new signature and verify the token symmetrically.

 

Step 1

So trying out the steps in the above resource and changing our payload to give us more money + modifying our horse name:

We change our key format to ASCII hex and use openssl to sign our JWT (Header + Payload):

The picture above is our HMAC signature, we need to turn this back into ASCII hex to use in our token:

Using the new token with our modified payload, we do see that it indeed worked:

Step 2

To obtain the flag, we need to find a md5 hash that is greater than the boss horse. So I created a short python script to do this, using rockyou.txt:

After running our program, we see that a word has been found that is greater than the boss horse:

Step 3

We follow the same steps as Step 1, modifying the ‘horses’ name in the payload in the JWT to ‘panchito00’.
 

Doing so will give us the flag when we enter the modified JWT:

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s