My Favorite OS - Jerseyctf6

Step 1 – Explore Available Commands

Start by running the help command in the terminal to see what actions are available.

Step 2 – Log In as the Guest User

Use the provided login command to authenticate as the guest user. The server responds with an automatically generated JWT.

Step 3 – Decode the JWT

Head to jwt.io and paste the token into the decoder. Inspect the payload section — you'll see something like:

{
  "username": "guest",
  "role": "user"
}

Our role is user. To access the admin panel, we need to change this to Admin. However, we can't just edit the token — the signature will break unless we sign it with the correct secret key.

Step 4 – Brute-Force the Secret Key

Since JWTs signed with HS256 use a symmetric secret key, we can attempt to crack it using Hashcat with a wordlist:

hashcat -a 0 -m 16500 <your_jwt_token> <path_to_wordlist>

• -a 0 — dictionary attack mode
• -m 16500 — hash type for JWT (HS256)

The secret key is revealed: windows98

Step 5 – Forge a New Token

Now that we have the secret key, go back to jwt.io and:

1. Edit the payload — change "role": "user" to "role": "Admin"
2. Enter windows98 as the secret in the Verify Signature section
3. Copy the newly signed token

Step 6 – Access the Admin Panel

Use the forged token to send a request to the protected admin endpoint:

GET /admin/panel -H 'Authorization: Bearer <forged_token>'

Flag

jctf{w1nd0ws98_1s_th3_b3st_0s_3v3r_937cn2}

Pwnsome References

• PortSwigger – JWT Attacks
• jwt.io Debugger
• Hashcat Documentation