Anantya ByteMe Writeup Series: The Iron Bank

-

 


Welcome Back to the Official Write-Up Series of ByteMe CTF!

The OWASP PCCOE Student Chapter is back to pull back the curtain on our second challenge—The Iron Bank. This challenge moved away from the psychological warfare of AI and into the technical depths of identity and authentication.

Domain: Web Exploitation / JWT Attacks

Difficulty: Moderate

Author: Saloni Katkar

Lore: "When you play the game of tokens, you exploit or you die." You must infiltrate the Iron Bank of Braavos by forging a Maester's scroll to impersonate the Hand of the King.  


1. Reconnaissance


Upon landing at the Iron Bank’s medieval interface, the first step for any digital Maester is to check the hidden corners of the browser.

  • Developer Tools ($F12$): Checking the Console tab revealed a thematic message: "Valar Morghulis!" followed by a crucial Maester's hint: "The Iron Bank trusts the 'none' algorithm. Don't tell the Lannisters."

  • Source Code: A hidden HTML comment suggested that only the Hand of the King (case-sensitive) has the authority to access the vault.


2. Analyzing the Token

By clicking "REQUEST SQUIRE'S SCROLL," the system generates a Base64-encoded string. Recognizing the header.payload.signature structure, we identify this as a JSON Web Token (JWT).

Pasting this into a debugger (like jwt.io), we see:

  • Header: {"alg": "HS256", "typ": "JWT"} — Currently using HMAC-SHA256.

  • Payload: {"role": "Squire", "house": "Stark"} — Our lowly starting identity.


3. Vulnerability: The "None" Algorithm

The vulnerability here is a classic JWT Authentication Bypass. If a backend is improperly configured to trust the none algorithm, it skips signature verification entirely. This allows an attacker to modify the payload and submit the token without knowing the server's secret key.


4. Exploitation (The Forgery)

To claim the Iron Throne, we performed a three-step forgery:

Step A: Modify the Header

Change the algorithm from HS256 to none.

  • Modified: {"alg": "none", "typ": "JWT"}

Step B: Modify the Payload

Escalate our privileges to the identity found during reconnaissance.

  • Modified: {"role": "Hand of the King", "house": "Stark"}



Step C: Forge the Final Token

We re-encode these objects to Base64URL. Crucial Step: When using the none algorithm, the signature part must be empty, but the token must still end with a trailing dot (.).


Final Forged Token:

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyroleI6IkhhbmQgb2YgdGhlIEtpbmciLCJob3VzZSI6IlN0YXJrIn0.


5. Capturing the Flag

After pasting the forged token back into the interface and clicking "CLAIM THE IRON THRONE," the server validates our "Hand of the King" identity, ignores the missing signature, and opens the vault.

Flag: ByteMe{V4l4r_M0rghul1s_JWT_N0n3_PCC0E}


 


Lessons from the Citadel

This challenge highlights why Algorithm Whitelisting is vital. A secure system should never allow the client to dictate the security level of the authentication process.

The bankers of Braavos learned the hard way: if the seal is void, the truth is whatever the bearer writes it to be.

Comments

Post a Comment

Popular posts from this blog

CyberKavach QuestCon Series: Upside-Down Vault

-
Image
  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...
Read more

From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway

-
Image
From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway   In the digital world, every message, photo, and online payment travels through an invisible web of connections called computer networks. Think of it as a massive postal system where billions of tiny data packets constantly move between devices, routers, and servers, each carrying a specific destination address. Just as houses have numbered addresses, every device on a network has an IP address. But instead of physical doors, computers have virtual ones called ports. These are entry and exit points that decide what kind of data can pass through. Some of these digital doors, like those used for websites or emails, need to stay open. Others, if left unlocked, can become invitations for attackers. That is where firewalls come in. A firewall acts as a vigilant security guard at your network’s gate. It checks who is knocking, what they are carrying, and whether they are allowed inside. Home routers do this qui...
Read more

CyberKavach QuestCon Series: VecNet

-
Image
  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...
Read more