JWT Key Confusion & Nunjucks SSTI - "Naughty or Nice" [Day 5: HackTheBox Cyber Santa CTF]

Video walkthrough for the "Naughty or Nice" Web challenge from Day 5 of the ‪@HackTheBox‬ "Cyber Santa" Capture The Flag (CTF) 2021. We'll exploit a signature confusion vulnerability for JSON Web Tokens (forging a new JWT for admin user) and leverage our new privileges to exploit a Server-Side Template Injection (SSTI) vulnerability (nunjucks), achieving Remote Code Execution (RCE). Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #HackTheBox #HTBCyberSanta21 #CaptureTheFlag #CTF Sign up for HackTheBox: https://htb-signup.cryptocat.me Write-ups: https://cryptocat.me/blog/ctf/2021/#h... ↢Hack The Box↣ https://www.hackthebox.com/events/san...   / hackthebox_eu     / discord   ↢JWT / Nunjucks SSTI↣ https://jwt.io https://github.com/ticarpi/jwt_tool http://disse.cting.org/2016/08/02/201... https://0xdf.gitlab.io/2021/11/02/htb... 👷‍♂️Resources🛠 https://cryptocat.me/resources Start: 0:00 Explore website: 0:49 Test basic SQLi/SQLMap: 1:53 Create new account: 2:57 Decode JWT cookie: 4:06 Investigate JWT vulnerabilities: 5:20 Research and install jwt_tool: 6:35 Try JWT "None" key attack: 8:00 Review source code: 11:48 Forge new JWT for Admin ("Key Confusion" attack): 16:08 Investigate Nunjucks SSTI: 18:58 Test SSTI payloads: 20:32 Use RCE to retrieve the flag: 21:39 End: 25:01

Join Today
Day 4 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021
▶︎

Day 4 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021

JSON Web Keys (JWK & JWT) - "Emergency" - HackTheBox Business CTF
▶︎

JSON Web Keys (JWK & JWT) - "Emergency" - HackTheBox Business CTF

Attacking AI - Jason Haddix - NDC Security 2026
▶︎

Attacking AI - Jason Haddix - NDC Security 2026

We let AI buy a robot and a car, it does exactly what experts warned.
▶︎

We let AI buy a robot and a car, it does exactly what experts warned.

How The FBI Finds Your REAL IP Address
▶︎

How The FBI Finds Your REAL IP Address

He Once Worked at Subway. At 58, He Solved An "Impossible" Problem
▶︎

He Once Worked at Subway. At 58, He Solved An "Impossible" Problem

IFrame Parent XSS - HackTheBox Cyber Apocalypse CTF
▶︎

IFrame Parent XSS - HackTheBox Cyber Apocalypse CTF

JWT Algorithm Confusion and SSTI (Pug) - "Cat Club" [INTIGRITI 1337UP CTF 2024]
▶︎

JWT Algorithm Confusion and SSTI (Pug) - "Cat Club" [INTIGRITI 1337UP CTF 2024]

Turing Award Winner: Disagreeing with Google, Postgres, Future Problems | Mike Stonebraker
▶︎

Turing Award Winner: Disagreeing with Google, Postgres, Future Problems | Mike Stonebraker

DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro
▶︎

DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro

Nicholas Carlini - Black-hat LLMs | [un]prompted 2026
▶︎

Nicholas Carlini - Black-hat LLMs | [un]prompted 2026

World's Deadliest Computer Virus: WannaCry
▶︎

World's Deadliest Computer Virus: WannaCry

Nodejs Nunjucks Template Injection - HackTheBox Cyber Apocalypse CTF
▶︎

Nodejs Nunjucks Template Injection - HackTheBox Cyber Apocalypse CTF

I Made an Antivirus That Secretly Attacks Scammers
▶︎

I Made an Antivirus That Secretly Attacks Scammers

7 Authentication Concepts Every Developer Should Know
▶︎

7 Authentication Concepts Every Developer Should Know

Websocket SQLi and Weak JWT Signing Key - "Bug Report Repo" [INTIGRITI 1337UP LIVE CTF 2023]
▶︎

Websocket SQLi and Weak JWT Signing Key - "Bug Report Repo" [INTIGRITI 1337UP LIVE CTF 2023]

8 New Kali Linux Tools Released in 2026 That Nobody Is Talking
▶︎

8 New Kali Linux Tools Released in 2026 That Nobody Is Talking

JSON Web Token (JWT) Exploit with SQL Injection | CTF Walkthrough
▶︎

JSON Web Token (JWT) Exploit with SQL Injection | CTF Walkthrough

How to Disappear Online and Become Untraceable
▶︎

How to Disappear Online and Become Untraceable

This is What REAL Hacking Looks Like!
▶︎

This is What REAL Hacking Looks Like!