EYCC 2025 - Web

At the beginning of the challenge, there was a normal login page with guest:guest, and everything seemed normal.

After logging in, we notice that there is an auth_token, which is a JWT Token. Let us first understand what JWT is.

What is JWT?

JWT = JSON Web Token A standard for creating a compact, URL-safe token that is signed. It’s commonly used for authentication and authorization.

Structure

A JWT has three parts separated by dots:

xxxxx.yyyyy.zzzzz

Header Contains metadata about the token type and signing algorithm. Example:
```
{
  "alg": "RS256",
  "typ": "JWT"
}
```
Payload (claims) Contains the data you want to transmit (claims). Example:
```
{
  "sub": "1234567890",
  "name": "Yassin",
  "admin": true,
  "exp": 1735667200
}
```
- sub = subject / user id
- exp = expiration time
- You can add any other claims you need.
Signature Created using a signing algorithm like HMACSHA256 or RS256 to ensure the token hasn’t been tampered with.

Full JWT example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Illhc3NpbiIsImFkbWluIjp0cnVlfQ.
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Part 1 = Header (Base64).
Part 2 = Payload (Base64).
Part 3 = Signature.

What is it used for?

Authentication
- User logs in once (username + password).
- Server issues a JWT and returns it to the client.
- Client stores it (e.g., Local Storage or Cookie).
Authorization
- For API requests the client sends the JWT in the Authorization header:
  Authorization: Bearer <JWT>
- Server verifies the signature and checks permissions.
Secure data exchange
- Because the token is signed, the receiver can trust the token wasn’t modified.

In our case, when we found the Auth Token

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ1c2VyIjoiZ3Vlc3QifQ.
BWBj8__aPPDwugrPBtpm-YQjUt1GtRFbw45L2DxrBM6Y6q5oIDhepAl0lxLi6Kup05rExJzHqeUVNQh-77pLqK9VbCJcTchCktSgZZwIWS_u9nf8Q__Bi1goj7Os3rVJH5hdjKz4MnYQiurvxOZtUxhDRrUMNMnygT7Y_9PlPiT9dVpDAiBvhi3sUCcNyjUjf9IzPKYtFzl9SMOcv2Nr0qgweaKYr27-slmCVGoyBpwGmqkPi-XjUfaVOHhUOioWQZmNHbhin_pM6qYlUMwMzy5pRvE3NZCRELV6GUohg6QO8m6wMKuZwSPpfk4IWkUfkqLFSQTEKkmrKir2Ue41UQ

And We used the website https://www.jwt.io/ to be able to analyze it and understand what exactly it consists of and what its contents are.

We found that the content of the header was

{
  "alg": "RS256",
  "typ": "JWT"
}

And the content of the payload was

{
  "user": "guest"
}

We Can Crack It ?

At the start , if anyone thinks we can crack it or try to break the encryption with a wordlist, that won’t work. If you noticed above, the algorithm is RS256. It uses a key pair (public/private key), and you can’t break it with passwords, because the signature is created with the private key and the public key only verifies the signature.

Now we have two options. The first option is to try to exploit the none attack in the JWT — let's try to do it.

None Attack JWT ?

A JWT contains the header field alg to specify the verification algorithm. The JWT specification allows the "none" option (unsigned) , if the server accepts it, an attacker can change the header to none and remove the signature, then modify the token's payload (for example username: "guest" → username: "admin") to escalate privileges or impersonate a user.

You Can Read About It From Here :

Step-by-step How the attack works

Decode the original token’s header and payload (they are base64), and you’ll find it’s signed with RS256.
Modify the header to become: {"alg":"none","typ":"JWT"}.
Modify the payload (for example change "user":"guest" → "user":"admin").
Base64url-encode the header and the payload, join them with a dot, and leave out (or empty) the third part (signature): base64url(header) + "." + base64url(payload) + "."
Send the modified token to the server. If the server is weak in verification (accepts alg=none) it will treat the token as trusted.

Practical example of the resulting header+payload after modification:

header (base64url): eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0
payload (base64url): eyJ1c2VyIjoiYWRtaW4ifQ
Token : eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.

The Attack Is Work ? mm....Noo

Another Idea

As we know, the encryption algorithm used for the challenge's JWT token is HS256.

If we want to change the permission in the payload from guest to Admin, we'll need to obtain the private key.

So there's no option other than searching the website to see if we can find it.

After poking around the page source and the JavaScript files for a bit, there was nothing. We tried some common dirs like /flag or /data and still nothing.

So I thought we could use dirsearch to guess directories and see if we find anything — and we did: a directory called /vault.

It had “Your Secure Vault” written in it, so I think we’re getting close to something. Let’s keep going and see what we find.

It was hard to guess for a long time because there was a limit on the number of requests, so continuing was difficult , until a hint was posted in the last minutes of the challenge stating there’s a directory named /internal/metadata. When we opened it, we finally found the private key; at that point we could modify the payload and set admin easily.

After Open The Dir , We got base64 Private Key :

Encoded private key: 

Ci0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLQpNSUlFdlFJQkFEQU5CZ2txaGtpRzl3MEJBUUVGQUFTQ0JLY3dnZ1NqQWdFQUFvSUJBUUNQVllxVDJHUEwyUlRsCklwc2xtOEFpU0FsZVNnTlNHeXZaNzZ6OWVHcGR1eVhjUTV2UjhNcWU4Ylp1UTcvRjJlaWJVOVBVNHZpbmpHVXEKczNVeklXQVhFeHVkOExXUENZakd2UUM5WU9haGg1VDBLWFBxaVNaSmhIVXlxTldkSlBoM3BQajFvb1dNODZTQQphZDlyeE94d1lralFaNS9kcnhNZHh0UjdMY1pDZ3oyS1ROWmRXRGxPeC9TelhpL0dlaTRBQ0Z0M3VRWStxSnJZCjFiUStTd0JDUmpJTDlqT2xmZC93SjNXSmRjRXEvdDlyOUJmdHoyd3ludS9WWFN2TzZvdWpuUW5NYlBkZ3FsY1gKbFlWRnFjL2E1ZVA1VTlCL1hsYkk5U0IzQWc3YWJFZDZDbjhiM1N1YkFhVGpYN0lYYUNIdDduTUE3Rm41ZThZSQp0OUVHS3VuakFnTUJBQUVDZ2dFQUFwSW10NnNvY3hZVU5WM3ZDWGduTkpZMU1NOUVDdnQ0eUdKdnFHWTZCaTllCnFQby9kNzhKYTF0cmljUEdVMDZxeU9weWdMMkhkejNoN0tlbVlRSG12dE0xYWhwUXIxMmM2ZSttN1Q2cE5GbUIKdHZWdFlsWU9iVUFtZC8rbVFUalNDaGRYN2RQNThFTElmeE1uRWtCSWUyV1A1OGtNQ1laajRlTlltVk1EWE5zRgo1Ti9tbmpmSkJ4amZtQVRWM3RmU0NQaWJEQ0tDbFpPNlRoaFgrSEFpUzVrWDlPMS8wZm5NTWdiQ2hobE9BRWF5CjIrNFdpRkRlRGVkQ2YyVnNYNkw4MjdDT25SVkhnMUE2REtHNm5KRXZ1ZjU4dXhSRzdxeG9DdWtVbHUvOXlON08KcC8yVXRkYXJZc0lzWThONmhMWCtlYXRKSERSR01ncnMvVzFjc1lPVWNRS0JnUURJOFkwOE9tZEpEL1Btc0xXagpyWVpHZUZhSVdPMXN1QVhEdjdYRHoyR0NuUnNUdW5OclpFaDhXR2NCVWVaVXQ0eENhN25LL2RqRmlzeTdvRGlOCjZVdUtRejRuVkUwM0tOeUNUUWx1UHRpeXd2VFJ1aktmY1JnbXVJT3FsL3VGc1RxOU56WDJTelRRMEpZK2JUSEoKb2dmUlFHdDBxUFR6d3QxSlo2b1ExQnA3c3dLQmdRQzJtekJOL3lNeEsxdk1lMjdBTjRKYjNxcStLVHg0ZzJrTApueUxCakozQzlSNG1DNEVZUzA5RWZSVmdpZXNXVFM4U2R3bSthK2JqNXN6SDcrZ0Q2ZVhrendWcmgrKzFvcTZBCk52RGVjc1ZLSW5VYkRWMkRtdUxWU2p5bUd3R1dYZUJOYjRoRWp3WHplRTIvKzVrYVpjMWgyTXNFalhUY3ViSXcKVkZHUUY5OEJFUUtCZ1FDSXQ4Q3VqOVlpWWRaQ3lVeHNsdTNiR0psWG41bTY5T0lITTNMS1RWazg4d092UXBheApKTVFreGtrZkhzZ21MOVFnaFFjZVUrU2ZVemJGR2RnZ3hmQjluQTYzMTZYSnQrV0FTa1gyV3BBNTRHZU9JcSs2Cng4bjAzbW5ITWkwUjQybmh2NlRaZElYMDVWYTBGcnRmUXYwcXBEZjRZZFIzM2NlTjRCaFg1dGcxL1FLQmdGRXMKYVd1eXFDVTZYZ05uTjFOUkdhelhMZFY4cFRuNVNKLzI3TTlYUCtZamFuU0ZGcTBEQlVpdnhlbjFSVURUck1JcgprblJJcVFuVVZtSG1ucC9td09CV3V0VVRSNWJacTNLcGVhZVpJMlNTTHJhSTJYSWdUd2Q3aWJ4Wk12cHgzcnp0CmdJamhmMGE4eXVzMTM5aGhPc3h0UDhwVlM0YTNNYVBVUjdHak91blJBb0dBTUVoZDM0aE1mY1FIenBNOERVUGYKc0VwNmx3QmJGdDdpQm9ZV3BUc3NNUjlpUTd1RjA1ZlN6T1VsQTNadnhzUEljdTQ3TzREUnJYc2VxaEJOOGNvVAovR2VUTFhMZUpRNWlhL0MyZjMraDBHWkNPSWJrNTBna2huV2VrSzkwNFFndWhUc1k1WFpQZkZ2bEJsckgxRElnCmlycm5VNWVJa3JZT29TckVtSlQrTEVnPQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==.

After Decode It We Got Prv Key :