Description

BookShelf Pico, my premium online book-reading service. I believe that my website is super secure. I challenge you to prove me wrong by reading the ‘Flag’ book! Here are the credentials to get you started:

Username: “user”

Password: “user”

Solution

Before even looking at the source code let’s look through the website and see what we have to work with. Logging in with the provided credentials presents us with this page:

website

On the top right we see our current account’s privilege of Free. We also see the FLAG book which has the Admin tag. Presumably we must trick the website into thinking we are an admin, and thus letting us read the flag. After trying to read the flag book and analyzing the traffic we see the following:

network

In the request headers we see there is a Bearer authorization header followed by some token. In storage we can also see a cookie with a json and token:

Searching Bearer in the source files provided to us we find this code:

jwtService

From this we can see that the website is using jwtService which after some googling is revealed to be an encoded json token. In the JwtService class we see something intriguing:

secretKey

The secret key being used to sign the jwt tokens is being created by a different method called getServerSecret() from a different class. Looking at the getServerSecret() implementation we might be initially overwhelmed by all of the code, however upon further inspection the secret key is not so secret:

generateRandomString

As seen in the picture the getServerSecret() method returns newSecret, which is set to the return of the method called generateRandomString(32). Looking at that method we see that it always returns 1234. Boom, we now have the secret key used to sign the jwt token. Now we are ready to forge our token. Taking the token we found earlier and putting it into cyberchef we can decode it into the json:

jwtDecode