at first, I was trying to add the header Authorization: Basic guest:guet with "guest:guest" in base64
but I was still getting the same error. So it was a no-go. And I was doing some researching on the response headers, but that wasn't the case here. And eventually, I was thinking maybe I can try to login to /login ? And then I tried to send a GET request to /login. Look at what I got?
GREAT! We have got a hit and some response back! So what if we send a different mthod like POST now?
AH, okay? Looks like it is asking for parms username and password. Oh right! Let's try to login with guest? Since that was what the first reponse says?
curl '<http://dctf1-chall-secure-api.westeurope.azurecontainer.io:8080/login>' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-GPC: 1' -H 'Cache-Control: max-age=0, no-cache' -H 'Origin: <http://dctf1-chall-secure-api.westeurope.azurecontainer.io:8080>' -H 'Pragma: no-cache' --data-raw 'username=guest&password=guest' the green part is where we supply the guest creds.
We got something back!
{"Token":"Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjIxMTQ1OTQwfQ.dz3nLV-ZDCrlenNKYZeeys2mlACE_sxDvhkhL7pOkLg8IwVEB0EiQckc1-F8KVJ3kp14BxZJsBdhH0E6G3eR3Q"}
Now if you know Bearer, then you know it is used to with Authorization header. And furthur inspection of the token value, we can see that it is JWT token, from my previous experience. I know that weak JWT can be cracked.
in case if you are wondering how JWT works.
So? Let's supply that JWT token with the header Authorization to the previous page which is / . we got.
So, it wants the admin's jwt token. Hmmmm, is there a way we can forge one with admin?