THE
WHITE
CIRCLE
web

LockTalk Writeup

Cyber Apocalypse 2024

Solved by : thewhiteh4t & Starry-lord

This challenge came with files and a docker instance.

deny if /api/v1/get_ticket

We can see the haproxy configuration is set to deny access to the /api/v1/get_ticket endpoint, and that the requirements for this webpage to work is an outdated python_jwt 3.3.3 library.

Enumeration!

When we visit the webpage, we are greeted with 3 possible endpoints making everything pretty clear for our next step. but we can’t get a token when we try it because of haproxy. But when we send the request to BurpSuite’s repeater tab, and modify the path, we can actually get a ticket.

bypass haproxy

With our ticket we can now try the other 2 endpoints and read some exchanges between a fake ransomware group named Openbit3.0 and some of their victims, as a reference to the recent Operation of the Cronos Taskforce related to the LockBit ransomware gang.

ransom chats

So it was time to look into that old python json web token library, and sure enough, there was an exploit to be found. This CVE from 2022 allows to send and claims we want by exploiting the way the json web token is parsed.

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user’s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39227

What a nice thing to read as a pentester, “there are no known workarounds”.

https://github.com/user0x1337/CVE-2022-39227

With the help of the given files we can determine that administrator is the required role to bypass all restrictions on the page.

roles: guest, administrator

With this knowledge in hand, we can now use the github proof of concept, as shown below.

claim we are admin

With the valid token we retrieved, and the correct role name, we can now craft a payload and send it to the /api/v1/flag endpoint.

HTB{h4Pr0Xy_n3v3r_D1s@pp01n4s}
Published on : 16 Mar 2024