Hacking PyJWT for Algorithm Confusion Attack [HackTheBox CyberMonday]

In the CyberMonday box from HackTheBox, the foothold involves exploiting an algorithm confusion attack against a JWT. When I went to sign the new JWT with the public key, PyJWT rejected me. In this video, we'll show the rejection, find the code responsible, and modify it to allow me to sign. HackTheBox CyberMonday: https://www.hackthebox.com/machines/cybermonday CyberMonday Blog Post: https://0xdf.gitlab.io/2023/12/02/htb-cybermonday.html ☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf [00:00] Introduction [02:16] Review public key [02:38] Creating Virtual Environment [04:17] Failure in Python Terminal [08:10] Finding Responsible Code [10:08] Modifying to Allow [11:25] Conclusion #pentest #ctf #bugbounty #python #pyjwt