Secrets Blue Team Lab Online
Assalamu Alaikum Wa Rahmatullah. How are you hackers?? May allah bless me and you.
Today I am writing this blog/article after solving Secrets. I wrote this based on How I Solve this lab.
Before Read this, Try to solve lab. If you stuck then come here for help.
Ok Now lets move on to the lab.
First Read the Scenario.
You’re a senior cyber security engineer and during your shift, we have intercepted/noticed a high privilege actions from unknown source that could be identified as malicious. We have got you the ticket that made these actions.
You are the one who created the secret for these tickets. Please fix this and submit the low privilege ticket so we can make sure that you deserve this position.
Here is the ticket:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmbGFnIjoiQlRMe180X0V5ZXN9IiwiaWF0Ijo5MDAwMDAwMCwibmFtZSI6IkdyZWF0RXhwIiwiYWRtaW4iOnRydWV9.jbkZHll_W17BOALT95JQ17glHBj9nY-oWhT1uiahtv8f
In the last section of Scenario, They give a ticket. Based on the ticket you need to find all the answer for the lab.
First I save the ticket in my WSL Kali.
nano ticket.txtTools that used to solve this lab :
- https://jwt.io/ (Website)
- hashcat (Kali linux)
- https://gchq.github.io/CyberChef/ (Website)
Now lets Solve the Lab.
Solving Lab
#1) Can you identify the name of the token? (Format: String)
Answer :
JWTNote : Go to CyberChef and past the ticket and Recipe will be From Base64.
#2) What is the structure of this token? (Format: Section.Section.Section)
Answer :
HEADER.PAYLOAD.SIGNATURENote : Go to JSON Web Tokens and past the ticket you will find that the ticket divide into three parts.
#3) What is the hint you found from this token? (Format: String)
Answer :
4_EyesNote : Go back to JSON Web Tokens ans you will find the hint in the payload section.
#4) What is the Secret? (Format: String)
Answer :
bT!0Note : Ok now we need our kali machine. First open up your termaial. Then we need to find the perfect module in hashcat to able to crack the ticket. To find the module I use this command :
hashcat -h | grep "JWT"And I got the module.
I told you earlier, Save the ticket in a file. Now it’s time to crack it. I use hashcat to crack the ticket but you can use john the ripper or other tools. I use this hashcat command :
hashcat ticket.txt -m 16500 -a 3 ?a?a?a?aLets brake down this command :
First I use hashcat ticket.txt -m 16500: this will start hashcat and use 16500 number module.
-a 3: -a flag is used to specify which one to use. In this case, "3" is specified, which corresponds to a brute-force attack. A brute-force attack tries every possible combination of characters until it finds the correct password.
?a?a?a?a: This is the mask or pattern used in the brute-force attack. Each ? represents a placeholder for a character, and a specifies that the character set to be used in each placeholder is lowercase letters (a-z). So, this mask instructs Hashcat to generate all possible combinations of four lowercase letters (e.g., "aaaa," "aaab," "aaac," ..., "zzzz") in an attempt to crack the password.
[First I tried in my wsl but it’s not working because of my memory management. So I tried in my main kali machine and it’s work]
#5) Can you generate a new verified signature ticket with a low privilege? (Format: String.String.String)
Answer :
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmbGFnIjoiQlRMe180X0V5ZXN9IiwiaWF0Ijo5MDAwMDAwMCwibmFtZSI6IkdyZWF0RXhwIiwiYWRtaW4iOmZhbHNlfQ.nMXNFvttCvtDcpswOQA8u_LpURwv6ZrCJ-ftIXegtX4Note : First Grab the ticket from the Scenario and past it in JSON Web Tokens then change the “admin”: false. Then put the secret in the SIGNATURE section and you get a ticket that’t the answer.
Congratulation!!!!!!!!!!!!!!! You successfully Solve the lab.
Thanks for reading. Hope this article/blog will help you. If you have any question or doute feel free to ask. And please follow my medium it’s free and you can always change your mind.
Here is my social Link :
Linkedin : https://www.linkedin.com/in/r3dw4n4hm3d/
GitHub : https://github.com/r3dw4n48m3d
Website : https://r3dw4n48m3d.github.io/Portfolio/
YouTube : https://www.youtube.com/@R3DW4NA8M3D
