OWASP Juice Shop

Room: OWASP Juice Shop

Difficulty: Easy

“Today we will be looking at OWASP Juice Shop from TryHackMe. This room uses the Juice Shop vulnerable web application to learn how to identify and exploit common web application vulnerabilities. Capture the flags and have fun. ”

Task 1 : Open for business!

Within this room, we will look at OWASP’s TOP 10 vulnerabilities in web applications. You will find these in all types in all types of web applications. But for today we will be looking at OWASP’s own creation, Juice Shop!

We will be using Burp Suite, so if you haven’t already got it set up, here is a link to the ‘Burp Suite’ room.

In addition, its highly recommend to check out the ‘Web Fundamentals’ room.

Juice Shop is a large application so we will not be covering every topic from the top 10.

We will, however, cover the following topics which we recommend you take a look at as you progress through this room.

#1 Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.

How to do it is given above. You can skip by click completed.

#2 Once the machine has loaded, access it by copying and pasting its IP into your browser; if you’re using the browser-based machine, paste the machines IP into a browser on that machine.

How to do it is given above. You can skip by click completed.

Task 2 : Let’s go on an adventure!

#1 Question #1: What’s the Administrator’s email address?

We have to go visit website and by clicking on any product, we can find out the admin’s email address.

ans : [email protected]

#2 Question #2: What parameter is used for searching?

Click on the magnifying glass in the top right of the application will pop out a search bar.

We can then input some text and by pressing Enter will search for the text which was just inputted.

Now pay attention to the URL which will now update with the text we just entered.

We can now see the search parameter after the /#/search? the letter q

ans : q

#3 Question #3: What show does Jim reference in his review?

Jim did a review on the Green Smoothie product. We can see that he mentions a replicator.

If we google “replicator” we will get the results indicating that it is from a TV show called Star Trek

ans : star trek

Task 3 : Inject the juice

This task will be focusing on injection vulnerabilities. Injection vulnerabilities are quite dangerous to a company as they can potentially cause downtime and/or loss of data. Identifying injection points within a web application is usually quite simple, as most of them will return an error. There are many types of injection attacks, some of them are:

SQL Injection : SQL Injection is when an attacker enters a malicious or malformed query to either retrieve or tamper data from a database. And in some cases, log into accounts.
Command Injection : Command Injection is when web applications take input or user-controlled data and run them as system commands. An attacker may tamper with this data to execute their own system commands. This can be seen in applications that perform misconfigured ping tests.
Email Injection : Email injection is a security vulnerability that allows malicious users to send email messages without prior authorization by the email server. These occur when the attacker adds extra data to fields, which are not interpreted by the server correctly.

We have to open burp-suite.

We need to open the foxy proxy.

intercept is on.

open repeater.

We can focus email.

We can write “ ‘ or 1=1 — “.

Suscess!

ans : 32a5e0f21372bcc1000a6088b93b458e41f0e02a

#2 Question #2: Log into the Bender account!

Similar to what we did in Question #1, we will now log into Bender’s account! Capture the login request again, but this time we will put: [email protected]’ — as the email.

We can just write “ ‘ — “.

Success!

ans : fb364762a3c102b2db932069c0e6b78e738d4066

Task 4 : Who broke my lock?!

In this task, we will look at exploiting authentication through different flaws. When talking about flaws within authentication, we include mechanisms that are vulnerable to manipulation. These mechanisms, listed below, are what we will be exploiting.

Weak passwords in high privileged accounts

Forgotten password pages

More information: Broken Authentication

#1 Question #1: Bruteforce the Administrator account’s password!

For the payload, we will be using the best1050.txt from Seclists. (Which can be installed via: apt-get install seclists)

You can load the list from /usr/share/seclists/Passwords/Common-Credentials/best1050.txt

Once the file is loaded into Burp, start the attack. You will want to filter for the request by status.

A failed request will receive a 401 Unauthorized

Whereas a successful request will return a 200 OK.

Once completed, login to the account with the password.

We going to intruder.

We’re by ”click” clear.

Select the password and click Add.

We find password.

Success!

ans : c2110d06dc6f81c67cd8099ff0ba601241f1ac0e

#2 Question #2: Reset Jim’s password!

Believe it or not, the reset password mechanism can also be exploited! When inputted into the email field in the Forgot Password page, Jim’s security question is set to “Your eldest siblings middle name?”. In Task 2, we found that Jim might have something to do with Star Trek. Googling “Jim Star Trek” gives us a wiki page for Jame T. Kirk from Star Trek.

Looking through the wiki page we find that he has a brother.

security question : Samuel

ans : 094fbc9b48e525150ba97d05b942bbf114987257

Task 5 : AH! Don’t look!

A web application should store and transmit sensitive data safely and securely. But in some cases, the developer may not correctly protect their sensitive data, making it vulnerable.

Most of the time, data protection is not applied consistently across the web application making certain pages accessible to the public. Other times information is leaked to the public without the knowledge of the developer, making the web application vulnerable to an attack.

More information: Sensitive Data Exposure

#1 Question #1: Access the Confidential Document!

We can see /ftp/legal.md

We will download the acquisitions.md and save it. It looks like there are other files of interest here as well.

After downloading it, navigate to the home page to receive the flag!

Download acquisitions.md

ans : edf9281222395a1c5fee9b89e32175f1ccf50c5b

#2 Question #2: Log into MC SafeSearch’s account!https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2Fv59CX2DiX0Y%3Ffeature%3Doembed&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dv59CX2DiX0Y&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fv59CX2DiX0Y%2Fhqdefault.jpg&key=a19fcc184b9711e1b4764040d3dc5c07&type=text%2Fhtml&schema=youtube

After watching the video there are certain parts of the song that stand out.

He notes that his password is “Mr. Noodles” but he has replaced some “vowels into zeros”, meaning that he just replaced the o’s into 0’s.

We now know the password to the [email protected] account is “Mr. N00dles”

ans : 66bdcffad9e698fd534003fbb3cc7e2b7b55d7f0

#3 Question #3: Download the Backup file!

We will now go back to the ftp folder and try to download package.json.bak. But it seems we are met with a 403 which says that only .md and .pdf files can be downloaded.

To get around this, we will use a character bypass called “Poison Null Byte”. A Poison Null Byte looks like this: %00.

Note that we can download it using the url, so we will encode this into a url encoded format.

The Poison Null Byte will now look like this: %2500. Adding this and then a .md to the end will bypass the 403 error!

ans : bfc1e6b4a16579e85e06fee4c36ff8c02fb13795

Task 6 : Who’s flying this thing?

Modern-day systems will allow for multiple users to have access to different pages. Administrators most commonly use an administration page to edit, add and remove different elements of a website. You might use these when you are building a website with programs such as Weebly or Wix.

When Broken Access Control exploits or bugs are found, it will be categorised into one of two types:
Horizontal Privilege Escalation : Occurs when a user can perform an action or access data of another user with the same level of permissions.
Vertical Privilege Escalation : Occurs when a user can perform an action or access data of another user with a higher level of permissions.

More information: Broken Access Control

#1 Question #1: Access the administration page!

We are then going to refresh the page and look for a javascript file for main-es2015.js

This hints towards a page called “/#/administration” as can be seen by the about path a couple lines below, but going there while not logged in doesn’t work.

As this is an Administrator page, it makes sense that we need to be in the Admin account in order to view it.

A good way to stop users from accessing this is to only load parts of the application that need to be used by them. This stops sensitive information such as an admin page from been leaked or viewed.

ans : 946a799363226a24822008503f5d1324536629a0

#2 Question #2: View another user’s shopping basket!

Login to the Admin account and click on ‘Your Basket’. Make sure Burp is running so you can capture the request!

Forward each request until you see: GET /rest/basket/1 HTTP/1.1

Now, we are going to change the number 1 after /basket/ to 2

ans : 41b997a36cc33fbe4f0ba018474e19ae5ce52121

#3 Question #3: Remove all 5-star reviews!

ans : 50c97bcce0b895e446d61c83a21df371ac2266ef

Task 7 : Where did that come from?

XSS or Cross-site scripting is a vulnerability that allows attackers to run javascript in web applications. These are one of the most found bugs in web applications. Their complexity ranges from easy to extremely hard, as each web application parses the queries in a different way.

#1 Question #1: Perform a DOM XSS!

We can use that script : <iframe src=”javascript:alert(`xss`)”>

ans : 9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf

#2 Question #2: Perform a persistent XSS!

First, login to the admin account.

We are going to navigate to the “Last Login IP” page for this attack.

ans : 149aa8ce13d7a4a8a931472308e269c94dc5f156

#3 Question #3: Perform a reflected XSS!

First, we are going to need to be on the right page to perform the reflected XSS!

Login into the admin account and navigate to the ‘Order History’ page.

ans : 23cefee1527bde039295b2616eeb29e1edc660a0

Task 8 : Exploration!

If you wish to tackle some of the harder challenges that were not covered within this room, check out the /#/score-board/ section on Juice-shop. Here you can see your completed tasks as well as other tasks in varying difficulty.

#1 Access the /#/score-board/ page

ans : 7efd3174f9dd5baa03a7882027f2824d2f72d86e

This box was really fun! I love the ones that have a story/theme that goes along with them.

%d bloggers like this: