Authentication Bypass via JWT algorithm manipulation to SSTI RCE
Enumeration
The challenge consisted in reach a RCE through web vulnerabilities.
First I see this website:
Then I registered a user:
Authentication Bypass via JWT algorithm manipulation
Checking the session of the user, I see 2 JWT cookies, "session" and "token"
I only could decode "token" so I got:
The clever option here is to change the role of user to something like "admin", but the signature forbids me from modifying the JWT. Trying to bypass the signature putting algorithm of encryption to none, I got that JWT is modified and valid:
So I bypassed the admin panel.
SSTI RCE
Then analyzing the admin apen, I have a profile page where you cand modify some options. Here is very interesting the option of changing the name because is reflected above. So it could be interesting two options: XSS or SSTI. Because I need a RCE without other user interaction, I tried SSTI. Lot of payloads after, I reached Jinja2's are valid:
