I mean, to be perfectly honest, this article started as a huge complaint in my head while I was working on solving the lab in question, but in the end it turned out I was in the wrong. So, here’s a different walkthrough compared to the community walkthroughs under the solutions of this lab. And, if you consider yourself not as smart at times when it seems that you ought to be which then leads into frustration/anger, just keep in mind to take some deep breaths to calm down and think things through. You’ll be surprised at how far you can get when taking things slowly, even when you’re sure that you have done it all correctly and you think that the solution is just this one little thing that you missed so you try and speed through looking for it. But, of course you can’t find it because it’s not just one little thing. What you do find is that you are even more angry because you’ve been mentally running through this maze, and you can’t find the cheese, but you can smell it, and that drives you crazy. Instead, just start slowly from the get go, and the smell of cheese won’t be spread evenly all over the maze confusing you in which direction to go. Which means, you’ll actually get to the cheese sooner while not losing your cool. I don't know why the maze and cheese metaphor, but there you go :)
The Clever Part
This made me feel crazy or dumb, or both during the later section — suggestion to use the proper tool instead of simplified version.
I mean, challenge accepted : ) It seemed at first to be just a different way to get to the same result. Spoiler — I was wrong.
The setup is pretty straightforward:
And then we get to the good part, as per lab’s solution it seems pretty self-explanatory:
And then we get to the other part, the part that made me upset:
I Should Have JWT and Base64 you say?
So, keep in mind that I’m not using the simplified version of the tool, but the “complex” jwt forger tool which provides a very complex looking output in comparison:
I’ll spare you the screenshots of me trying to encode various things into base64 and trying to Sign the tampered jwt session with it and failing, and then having to take some deep breaths to calm down.
Cut to:
RTFM
In this case, the solution was to either say, screw it and grab the simplified tool, or to read the page found on… oh, I don’t know, the github repo of the tool itself. Of two paths I chose the path less traveled and that made all the difference, as in I learned something new (:
So, how does that highlight solve my issue? Well, the line: BEGIN RSA PUBLIC KEY , it seems to be pretty obvious, as in it’s not a secret, there’s no guesswork involved, it’s practically same as a comment inside a code. Right? Wrong. It turns out, at least in this case, it does matter. And my attempts in getting the proper part of the output from the “complex” tool to work weren’t entirely wrong. I just didn’t fully follow the instructions. As in, the text that needs to be base64 encoded is actually generated by the “complex” tool as a x509.pem file. The entire thing to be encoded. But, in my infinite wisdom(stupidity more like it) I figured that I should just encode the text between the BEGIN PUBLIC KEY and END PUBLIC KEY and not those two lines as well. Which was WRONG.
And here’s how the simplified tool presents the output which does make it incredibly simple to use and solve the lab:
By the way, here’s how it is using the “complex” tool:
And then you just encode the WHOLE thing:
And this is what I got initially when I did it incorrectly which explains why it wasn’t working:
Putting It All Together
I’ll leave the rest to the reader. I mean, it’s all here by this point. The hard part is over, it’s all just using the tool/extension for burp which is available for community edition as well, and putting in the values derived from whichever tool you choose.
This is why sometimes you have to leave the ego at the door. And I have also learned that I have to look more into cryptography which is kinda ironic because I used to be really into it many years ago, before bug hunting, but couldn’t quite find a way how to apply all the theory into practical hacking. I guess now I know where to pick it up again in a way that I can actually use it, hopefully :)