Day 034 #FromZeroToHacker – OWASP Juice Shop Writeup

OWASP Juice Shop give us a good intro to what a CTF is. While they hand-hold you during this challenge, you get to know what a CTF looks like.

Time for our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to OWASP Juice Shop

Juice Shop is a large application where we will cover some of OWASP’s Top 10 vulnerabilities. It is also important that you know the Burp Suite basics, but also the Burp Suite Repeater extension.

Despite not covering all the OWASP’s vulnerabilities, we will cover Injection, Broken Authentication, Sensitive Data Exposure, Broken Access Control, and Cross-Site Scripting (XSS).

OWASP Juice Shop logo

What I have learnt today?

Task 1: Open for business

Let’s get ready:

Questions

  1. Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.
    No answer needed

  1. Once the machine has loaded, access it by copying and pasting its IP into your browser; if you’re using the browser-based machine, paste the machines IP into a browser on that machine.
    No answer needed

We have deployed the Virtual Machine (the one attached to the Browser via TryHackMe or your own Virtual Machine via OpenVPN), the machine has loaded, and we are on the main page of the machine:

OWASP Juice Shop main page

Task 2: Let’s go on an adventure

Before doing anything, set Burp Intercept mode to off and browse around the site. Not only this would let you familiarise yourself with it, but Burp will also log all the requests made. This is a form of reconnaissance.

Reconnaissance

Now, not only do we know the structure of the website, but we have found some folders, files, and more.

Questions

  1. What’s the Administrator’s email address?
    admin@juice-sh.op

The website doesn’t have any discerning way to find the admin’s email, but there are items on the shop that have reviews. If we click on the Apple Juice item, we can see it:

Apple Juice Admin comment
  1. What parameter is used for searching?
    q

The magnifying glass on the top right banner, next to the Account and Language switcher, pops out a search bar. If you search for something, the URL will include the term you searched for in a pair key-value fashion. The term is the value, and the key is q.

URL parameter
  1. What show does Jim reference in his review?
    Star Trek

Jim made a review on the Green Smoothie:

Green smoothie

He talks about a replicator. If we Google it, we will get results pointing out that is a machine we could see in the TV series Star Trek (100% recommended by the way).

Task 3: Inject the juice

Ok, time for real fun.

We are going to focus on injection vulnerabilities. This type of vulnerability is quite dangerous, as it can potentially cause loss and manipulation of data. The first thing we need to do is identify injection points within a web application.

There are many types of injection attacks, such as SQL Injection, Command injection and Email injection.

But today, we will be using the first one: SQL Injection. Put your hood and sunglasses on, turn off the light and let’s hack!

Questions

  1. Log into the administrator account!
    32a5e0f21372bcc1000a6088b93b458e41f0e02a

Navigate to the login page, enter some random username and password, turn the Intercept on, and submit it. Make sure the Intercept is on, as we need to capture the request!

Intercepting requests

Right-click it and sent it to the Repeater to put this request aside, and drop the rest.

Burp Suite SQLi

Change the email content to: ‘ or 1=1;–.

The character ‘ will close the brackets, while the 1=1, as is always true, will tell the server that the email is valid and that should log us in with the first user in the database, which happens to be the admin account. The characters — are used in SQL to comment on the code, ignoring anything that comes after that (for example, restrictions).

The code tells the server that it should return a user if the email is ” (no email sent) OR 1=1. As 1=1 is always true, it will return a user.

Burp Suite admin response

We can see in the response that it returns the admin user. Let’s try the ‘ or 1=1;– thing on the website login.

Admin login

We logged in as admin!

  1. Log into the Bender account!
    fb364762a3c102b2db932069c0e6b78e738d4066

Now we have to try to log in with the user bender@juice-sh.op. With the login request captured in the Intruder, let’s try to modify the request to log in again:

Burp Suite Bender request

The response says Invalid email or password. We know the email is correct but we don’t know what the password is! Luckily, we don’t need it to know, as we know we can manipulate the SQL code:

Bender login request

I have changed the email value to bender@juice-sh.op’;– . We don’t need the OR 1=1; we know that the user exists. What we are doing with the comment code () is telling the server to “Return a user if the email is bender@juice-sh.op”, ignoring the “… and the password is XXXX”.

With the comment, we are ignoring the password bit, and requesting for a user with a specific email.

Normal query:
Return me the user with the email XXXX and the password YYY.

Commented query:
Return me the user with the email XXXX and the password YYY.

I hope it is pretty clear.

If we try to log in as bender@juice-sh.op;– and any random password, we are logged in again!

Bender logged in

Task 4: Who broke my lock?

We are going to exploit the authentication system through different flaws. Flaws may include:

  • Weak passwords in high privileged accounts.
  • Forgotten password pages.

More information at Broken Authentication.

  1. Bruteforce the Administrator account’s password!
    c2110d06dc6f81c67cd8099ff0ba601241f1ac0e

We have used SQL injection to log in as an administrator, but we still don’t know the password. As we know one thing (the admin’s email), we can brute-force our way to find out the password!.

Send a login request (the one that we have in Intruder, for example) to Intruder.

Clear all positions, select the password and click on Add §. This will point out where the payload should be. Now, on the email field, add the admin’s email admin@juice-sh.op.

Admin login intruder

Use the best1050.txt as payload (It can be installed with apt-get install seclists), and start the attack.

Brute-force attack

A 401 Unauthorized request is a failed one, but the one that returns a 200 OK response is a successful request.

Brute-force successful
  1. Reset Jim’s password!
    094fbc9b48e525150ba97d05b942bbf114987257

Let’s try to reset Jim’s password. Go to the Forgot Password page, and introduce Jim’s email. The Security Question is

In the Forgot Password page, Your eldest siblings middle name? is the Security Question.

If you remember, in Task 2, we found that Jim loves Star Trek. If we Google “Jim Star Trek”, we can find James T Kirk’s Wikipedia page, and a list of his family:

Star Trek siblings

Samuel is his brother, and his middle name is Samuel. Let’s put that as the answer to the Security Question.

Forgot password reset

Now Jim has lost his account. Bad luck!

Yes, this task may seem a bit kooky, but it points out a common mistake. If you use easy-to-find Security Questions, a 2-minute Google search can destroy all the security you tried to implement.

Instead of some random guy from a series from the 80s, the Security Question may ask for your mother’s name or your dog’s. We have Instagram, Facebook, Twitter, etc at our grasp, and we can find out your mother’s or dog’s name, as people upload all their life to the Internet for Internet points. Don’t do it. Instead, let the user write their own Security and Answer Question.

Task 5: Ah! Don’t look!

A web application should store and transmit data safely and securely. But sometimes this doesn’t happen, making the website vulnerable.

And also, sometimes data protection is applied, but not consistently, making certain data accessible to the public. Other times, information is leaked to the public, making the web application vulnerable to an attack.

  1. Access the Confidential document
    edf9281222395a1c5fee9b89e32175f1ccf50c5b

Navigate to the About Us page and hover over the green text

About us section

On the bottom-left of the screen, you can see that the green text links to …/ftp/legal.md. Navigating to the /ftp/ directory reveals data exposed to the public!

FTP leak

Now, we can download ANY file. For solving this challenge, download the acquisitions.md file and open it.

  1. Log into MC SafeSearch’s account
    66bdcffad9e698fd534003fbb3cc7e2b7b55d7f0

The rapper guy says that his password is Mr. Noodles but replacing Some vowels into zeros. The password then, is Mr. N00dles. Just log in with his password (mind the empty space!).

MC Safesearch
  1. Download the Backup file!
    bfc1e6b4a16579e85e06fee4c36ff8c02fb13795
Back up file

If we go back to the ftp folder and try to download package.json.bak we are met with an error: Only .md and .pdf files are allowed!

Enter the character bypass Poison Null Byte.

A Poison Null Byte is a Null terminator: This string tells the server to terminate at all points, nulling the rest of the string, and then ignoring the restriction.

A Poison Null Byte looks like this: %00, but if we add it at the end of the URL it won’t work. We need to use %2500, as the HTML form URL encodes the file name to %2500, and PHP decodes it again to %00. It gets decoded not once, but twice.

%25 is the encoding for %.

Encoding null byte

The server checks that the file requested ends in .md, and it does! But little it knows that we are sending the equivalent of “Ignore everything to the right of %2500” with our Poison Null Byte.

Task 6: Who’s flying this thing?

We can categorise Broken access control exploits or bugs into one of two types:

  • Horizontal privilege escalation: When a user can perform an action or access data of another user with the same level of permissions.
  • Vertical privilege escalation: When a user can perform an action or access data of another user with a higher level of permissions.
Broken access control
  1. Access the administration panel
    946a799363226a24822008503f5d1324536629a0

Open the Debugger/Sources section of your Web Developers tools browser. Then, refresh the main page and look for a JS file called main-es2015.js.

Dev Tools JS file

Let’s open the http://WEBSITE/main-es2015.js file and search for admin:

JS Admin

One stands out:

Administration path

This points out that there is a page called /administration. Let’s have a look.

We do and we are kicked out. For a second we can see a Warning, but then we are redirected to the main page. Let’s log in as an admin and try again:

Administration admin login
  1. View another user’s shopping basket!
    41b997a36cc33fbe4f0ba018474e19ae5ce52121

While logged as admin, turn on Burp Suite and Intercept. Then, go to Your Basket in the OWASP Juice Shop:

Rest basket

The information comes from GET /rest/basket/1 HTTP/1.1. Let’s change the number 1 to 2 and see what happens:

Rest basket other user

We can see the basket of the user with UserID 2! We can do this for any user on the website!

  1. Remove all 5-star reviews
    50c97bcce0b895e446d61c83a21df371ac2266ef

Go to the /administration page and remove all the 5-star reviews with our admin-hacked account.

Task 7: Where did that come from?

XSS or Cross-Site Scripting is one of the most common vulnerabilities and it allows us to run JavaScript in web applications. There are three major types of XSS attacks:

  • DOM XSS, which uses the HTML environment to execute malicious JavaScript
  • Persistent XSS, which loads malicious JavaScript code sent to their database (Imagine a blog post comment with JavaScript embedded).
  • Reflected XSS, ran on the client-side end of the web application.

More information: Cross-Site Scripting (XSS).

  1. Perform a DOM XSS!
    9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf

Let’s try the search function: Instead of searching for something, type <iframe src=”javascript:alert(`xss`)”>

XSS attack

As the search isn’t sanitised, we can use JavaScript by writing code in their search bar. Let’s go!

  1. Perform a persistent XSS
    149aa8ce13d7a4a8a931472308e269c94dc5f156

Log in as admin, and navigate to Last Login IP.

![[day_034_last_login_ip.png]]

It stores the client IP from the Last Login. Cool. We have an idea.

Turn Burp’s Intercept on to catch the logout request. Go to the website and log out.

We have captured the request, but instead of forwarding it, let’s add a new header:

Adding headers to the request

We are adding the same code that popped up an alert. Let’s see what happens.

Forward the request, sign back with the admin account and navigate again to the Last Login IP page.

Bingo

Bingo!

Right now, we are just adding a simple JavaScript code, but imagine we code something that takes all the cookies and sends us the cookies. Mouth-watering, right?

  1. Perform a reflected XSS
    23cefee1527bde039295b2616eeb29e1edc660a0

Login as admin and navigate to Order History.

![[day_034_order_history.png]]

![[day_034_order_history_page.png]]

Order history
Order history page

Click the truck icon, and we will be redirected to the track result page, with an URL like this:

http://website.com/#/track-result?id=5647-f354d654302ab5

Replace the ID with our famous script <iframe src="javascript:alert(`xss`)">.

Reflected XSS

Task 8: Exploration

Visit /#/score-board/ section.

  1. Access the /#/score-board/ page
    7efd3174f9dd5baa03a7882027f2824d2f72d86e

I hope you don’t need help with this one.

Summary

This one was pretty close to what a CTF (an easy one) may look.

Yes, they hold your hand during this room, but you see what you expect to see during a CTF attack: Enumeration, SQLi, XSS, using Burp Suite, Brute-force, null byte, etc.

Pretty fun, to be honest!

Stats

From 121.950th to 122.070th. I don’t know why, but well..

Here is also the Skill Matrix:

Skill matrix

Resources

Path: Web Fundamentals

Introduction to Web Hacking

TryHackMe: OWASP Juice Shop

Other resources

OWASP’s Top 10 vulnerabilities
Burp Suite basics
SQL Injection
Command injection
Cross-Site Scripting (XSS)
Kali Linux in VirtualBox
Broken Authentication
Poison Null Byte