# SSTF 2022 JWT Decoder Write Up

I participated in the CTF called sstf after 5 months. Today, I wrote that how to solve a JWT Decoder.

They provided the file as above.

And when i check the package.json, I could know to use ejs 3.1.6 version. Already many researcher know about how to trigger an RCE in ejs environment. When the ejs parser is working, it make a javascript code as dynamic and then execute it. At the time, there are some gadgets. this gadget is outputFunctionName and destructuredLocals.

While making javascript code, it use after get a value in opts object. But, Normally If you want to pollute a value of opts.outputFunctionName, A Prototype Pollution vulnerability must exist. But there is no.

I found that using the utils.shallowCopy() method in the EJS code to overwrite the value of data.settings.view.options with the properties of the opts object.

This is the challenge code. It was found that the value of the cookie was taken, divided by “.”, and the values of the header, body, and signature of JWT were put into an object called rawJwt. However, we cannot insert Object because all values are converted back to strings after the strings are converted to JSON type.

Anyway, I could know that the rawJwt object is created and passed as the second argument to the render() method.

The second argument to the render() method goes into the data object. So we have to insert an user-defined object to rawJwt object.

We generally cannot insert object data into rawJwt objects. However, as a result of analyzing the code of the cookie-parser module, I was able to find out the JsonCookie () function. The JsonCookie () function converts the argument value to JSON in the try statement if it starts with j: when the value of the argument is an object.

I wrote the payload as above

When I sent the payload, I could see that RCE occurred as above.