Web [80 pts]
After visiting the site, we are given an option to buy a horse and ‘race’. The goal of this challenge is to beat the boss horse by having greater speed.
We are also given the source code for this challenge, showing how the logic is being done to calculate speed as well as information about our tokens.
It looks like we need to find a horse name with it’s md5 hash being greater than the boss horse. We also notice that we are given a JWT, when decoded, gives us:
An interesting piece they also give us is the public key used for verifying JWT tokens.
There is a well known vulnerability for RS256 JWT when given a public key. That is, we can convert RS256 -> HS256 and use the public key to generate a new signature and verify the token symmetrically.
So trying out the steps in the above resource and changing our payload to give us more money + modifying our horse name:
We change our key format to ASCII hex and use openssl to sign our JWT (Header + Payload):
The picture above is our HMAC signature, we need to turn this back into ASCII hex to use in our token:
Using the new token with our modified payload, we do see that it indeed worked:
To obtain the flag, we need to find a md5 hash that is greater than the boss horse. So I created a short python script to do this, using rockyou.txt:
After running our program, we see that a word has been found that is greater than the boss horse: