> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/information-gathering/trick-0284.md).

# Access JWT Key File via URL Path

***

Decode the JWT token (e.g., using `jwt.io`) found in sources like page source after login. Look for parameters containing potential file paths, such as the `kid` (key identifier) parameter.

The `kid` parameter in a JWT header is used to specify which key was used to sign the token. A common vulnerability arises when the server implementation reads the content of the file specified by the `kid` parameter and uses it as the verification key. This allows an attacker to potentially point the `kid` to sensitive server files. The application uses the `kid` header parameter to retrieve the public key from the local filesystem. An attacker can potentially exploit this vulnerability by manipulating the `kid` parameter to include a path traversal sequence, causing the application to load an arbitrary file from the server's filesystem.

For example, an attacker could craft a JWT with a header like this, attempting to make the server use the content of `/app/key.pub` as the verification key:

```json
{
  "kid": "/app/key.pub",
  "typ": "JWT",
  "alg": "HS256"
}
```

Another common path traversal example involves pointing the `kid` to a known file like `/etc/passwd`:

```json
{
  "kid": "../../etc/passwd",
  "alg": "HS256"
}
```

Python libraries like `PyJWT` can be used to craft such tokens. Here is an example of how you might generate a token with a specific `kid` value pointing to `/etc/passwd`:

```python
import jwt

# Payload
payload = {'user': 'admin'}

# Malicious header with path traversal
header = {
    "alg": "HS256",
    "typ": "JWT",
    "kid": "/etc/passwd" # Path traversal example
}

# Sign the token with a dummy key (this key doesn't matter for the exploit)
# The server will try to verify with the content of /etc/passwd
dummy_key = "dummy_secret"
token = jwt.encode(payload, dummy_key, algorithm="HS256", headers=header)

print(token)
```

If a path like `/var/www/mykey.key` is found in the decoded payload or successfully used in a crafted `kid` parameter, attempt to access it directly via the web server's root.

```
http://target_ip:port/mykey.key
```

This works if the leaked path corresponds to a file within the web server's document root or is otherwise accessible via a simple HTTP GET request. In this example, the `/var/www/mykey.key` path was accessible via `/mykey.key` on the web server, suggesting `/var/www/html/` was likely the webroot.
