picoCTF-Web Exploitation-Java Code Analysis!?!

Description

BookShelf Pico, my premium online book-reading service.I believe that
my website is super secure. I challenge you to prove me wrong by
reading the ‘Flag’ book!Here are the credentials to get you started:

Username: “user”
Password: “user”

Source code can be downloaded

here

.Website can be accessed

here!

Hints

Maybe try to find the JWT Signing Key (“secret key”) in the source
code? Maybe it’s hardcoded somewhere? Or maybe try to crack it?

The ‘role’ and ‘userId’ fields in the JWT can be of interest to you!

The ‘controllers’, ‘services’ and ‘security’ java packages in the
given source code might need your attention. We’ve provided a
README.md file that contains some documentation.

Upgrade your ‘role’ with the new (cracked) JWT. And re-login for the
new role to get reflected in browser’s localStorage.

通过介绍我们可以得到以下信息：

尝试破解JWT 签名密钥
JWT中的role和userId字段可能会对我们有帮助
重点关注源码中的controllers, services, security包。
README.md文件可能对我们有所帮助
在JWT中提升role并刷新cookie存储？

1. 分析代码

首先，我们下载源码，使用是gradle管理包，先看README.md，里面说明了项目的架构以及各个包的功能。访问here!网站，使用username:user, password:user用户登录，发现图片有Flag，点击提示有锁，需要用户拥有role为Admin的权限（user用户的role是Free）

Flag
You need to have Admin role to access this special book!
This book is locked.

我们给用户user修改role为Admin试试，查看UserController找到修改role的代码

@PatchMapping("/users/role")
public Response<String> updateRole(@Valid @RequestBody UpdateUserRoleRequest userRoleRequest) throws ResourceNotFoundException, ValidationException {
    userService.updateRole(userRoleRequest);
    return new Response<String>().setPayload("Role successfully updated.")
            .setType(ResponseType.SUCCESS);
}

@Getter
@Setter
@NoArgsConstructor
public class UpdateUserRoleRequest {
    private Integer id;

    @NotNull(message = "Role cannot be Null")
    @NotEmpty(message = "Role cannot be empty")
    private String role;
}

我们需要构建RequestBody参数包含id和role ，role已知为Admin ，接下来需要找到user用户的id ，在UserController 中有一个users接口，查询所有用户信息

@GetMapping("/users")
public Response<List<UserDto>> getAll() {
    List<UserDto> userList = userService.getAllUsers();
    Response<List<UserDto>> response = new Response<>();
    response.setPayload(userList);
    response.setType(ResponseType.SUCCESS);
    return response;
}

我们进去Service看一下，发现有权限认证hasAuthority('Admin')，需要Admin权限，前面修改role的也需要这个权限认证，不过又多了一步#userRoleRequest.id != authentication.principal.grantedAuthorities[0].userId ，意思好像是userId不能是本用户，也就是自己不能修改自己的role

@PreAuthorize("hasAuthority('Admin')")
public List<UserDto> getAllUsers() {
    return UserDto.getUserDtoListFromUsers(userRepository.findAll());
}

@PreAuthorize("hasAuthority('Admin') and #userRoleRequest.id != authentication.principal.grantedAuthorities[0].userId")
public void updateRole(UpdateUserRoleRequest userRoleRequest) throws ResourceNotFoundException {
    Optional<User> userOptional = userRepository.findById(userRoleRequest.getId());
    if(!userOptional.isPresent()){
        throw new ResourceNotFoundException("user with ID: "+userRoleRequest.getId()+" not found");
    }
    User user = userOptional.get();
    Optional<Role> roleOptional = roleRepository.findById(userRoleRequest.getRole());
    if(!roleOptional.isPresent()){
        throw new ResourceNotFoundException("user with role: "+userRoleRequest.getRole()+" not found");
    }
    Role role = roleOptional.get();
    user.setRole(role);
    userRepository.save(user);
}

2. 修改JWT

所有操作需要给user用户一个Admin权限，我们知道JWT在登录后生成一个token，每次请求会在Request Header中带上这个token，以便后端程序对权限进行验证。

User登录网站，使用DevTools查看请求头，得到token

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiRnJlZSIsImlzcyI6ImJvb2tzaGVsZiIsImV4cCI6MTcxNjE5MDE1MywiaWF0IjoxNzE1NTg1MzUzLCJ1c2VySWQiOjEsImVtYWlsIjoidXNlciJ9.27h2BykhrD30xizlmoid0Wkj3OLuNPgR-XGo30UBv_0

拿到JWT官网解析，得到payload

{
  "role": "Free",
  "iss": "bookshelf",
  "exp": 1716190153,
  "iat": 1715585353,
  "userId": 1,
  "email": "user"
}

修改role为Admin重新加密，前提需要找到签名密钥（第一条提示）。继续查看权限验证JWT相关代码，发现密钥为1234

@Service
class SecretGenerator {
    private Logger logger = LoggerFactory.getLogger(SecretGenerator.class);
    private static final String SERVER_SECRET_FILENAME = "server_secret.txt";

    @Autowired
    private UserDataPaths userDataPaths;

    private String generateRandomString(int len) {
        // not so random
        return "1234";
    }

    String getServerSecret() {
        try {
            String secret = new String(FileOperation.readFile(userDataPaths.getCurrentJarPath(), SERVER_SECRET_FILENAME), Charset.defaultCharset());
            logger.info("Server secret successfully read from the filesystem. Using the same for this runtime.");
            return secret;
        }catch (IOException e){
            logger.info(SERVER_SECRET_FILENAME+" file doesn't exists or something went wrong in reading that file. Generating a new secret for the server.");
            String newSecret = generateRandomString(32);
            try {
                FileOperation.writeFile(userDataPaths.getCurrentJarPath(), SERVER_SECRET_FILENAME, newSecret.getBytes());
            } catch (IOException ex) {
                ex.printStackTrace();
            }
            logger.info("Newly generated secret is now written to the filesystem for persistence.");
            return newSecret;
        }
    }
}

修改role及密钥信息得到新得token

在这里插入图片描述

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiQWRtaW4iLCJpc3MiOiJib29rc2hlbGYiLCJleHAiOjE3MTYxOTMxNTcsImlhdCI6MTcxNTU4ODM1NywidXNlcklkIjoxLCJlbWFpbCI6InVzZXIifQ.zMJVsnlSGl2OKzBSQ_h2qIU5mB7OL7bgF6khdI31eMw

3. 修改新建用户的role为Admin

网页上直接创建一个用户
使用postman请求用户查询接口得到hucker的userId为6

（Header中增加Authorization，填入上面得到的新token）
构建ResponseBody，给hucker用户修改权限为Admin
重新登录，发现role已经修改为Admin ，点击Flag拿到结果