KagisoSec_
All writeups
CHALLENGE HackTheBox 1/5

Critical Ops

2026-06-03 2 min read
web jwt authentication-bypass token-forgery source-code-review burpsuite

Overview

The application exposed its JWT signing key inside client-side TypeScript source code. By reading the key from the browser inspector and forging an admin token, we gained access to a privileged API endpoint and retrieved the flag.

  • Vulnerability: Hardcoded JWT secret in the client-side bundle.
  • Impact: Full authentication bypass / privilege escalation to admin.

Steps

1. Initial Recon, HTTPS Redirect

App redirecting HTTP traffic to HTTPS

The app redirected HTTP traffic to HTTPS. Switched to the correct URL to reach the landing page.

2. Register & Enumerate

Registering an account and logging in

Created an account and logged in. Nothing sensitive was visible on the UI after scrolling through the app.

Intercepted traffic with Burp Suite, which revealed:

FindingValue
Endpoint/api/tickets
Auth methodJWT (Bearer token + Cookie)

The app was issuing JWT tokens and validating them on API requests, a good target for token forgery.

3. Source Code Review, Client-Side Secret Leak

Opened DevTools → Inspector and browsed the source tree. Found Page.tsx, which imported a generateToken function from @/lib/jwt.

Page.tsx importing generateToken from @/lib/jwt

Navigating to jwt.ts in the source revealed the JWT signing key hardcoded in plaintext, fully readable in the client-side bundle with no authentication required.

jwt.ts exposing the hardcoded signing key

Root cause: The signing secret was committed into frontend source code and shipped to the browser, giving any user the ability to forge valid tokens.

4. Forge an Admin JWT

Using the leaked signing key, crafted a forged JWT with elevated privileges (e.g. role: admin). Since we know the secret, the server accepts our token as legitimate.

Forging an admin JWT with the leaked secret

5. Inject Token & Capture the Flag

Replaced the original JWT in both auth locations on the GET /api/tickets request:

Injecting the forged token into the request

Cookie: authToken=<forged_token>
Authorization: Bearer <forged_token>

The server validated the signature, elevated the session to admin, and returned the flag in the response.

Flag returned in the API response

Flag

HTB{...}

Key Takeaways

  • Never store secrets in client-side code. JWT signing keys, API keys, and credentials must live server-side only. Anything shipped to the browser is public.
  • Source maps and bundled JS are readable. Even minified/compiled frontend code can be inspected in DevTools, treat it as untrusted territory.
  • JWT forgery is trivial once the secret is known. A leaked signing key completely undermines the token-based auth model.

Related writeups

CHALLENGE

byp4ss3d, picoMini byCMU-Africa

Bypassing a file upload filter on Apache by abusing .htaccess to execute a PHP webshell disguised as a JPEG, achieving full RCE and reading the flag.

#web#file-upload#htaccess
Read
MACHINE Linux

HackTheBox: Postman

An Easy Linux box: an unauthenticated Redis 4.x instance writes an SSH key into the redis user's authorized_keys for a foothold, an encrypted /opt/id_rsa.bak cracks to computer2008 to reach Matt via su, and Webmin 1.910 falls to CVE-2019-12840 command injection (running as root) for a root shell.

#linux#redis#ssh-key-injection
Read
MACHINE Linux

HackTheBox: Trick

An Easy Linux box: a DNS zone transfer leaks a preprod payroll vhost, a boolean SQL injection with the MySQL FILE privilege reads the nginx config to expose a second vhost, then a str_replace LFI bypass combined with SMTP mail-spool poisoning lands RCE as michael — and a writable fail2ban action plus a passwordless sudo restart escalates to root.

#linux#dns-zone-transfer#smtp
Read