OWASP Juice Shop give us a good intro to what a CTF is. While they hand-hold you during this challenge, you get to know what a CTF looks like.
Time for our daily #FromZeroToHacker challenge.
Table of contents |
Introduction |
What I have learnt today? |
Stats |
Resources |
Introduction to OWASP Juice Shop
Juice Shop is a large application where we will cover some of OWASP’s Top 10 vulnerabilities. It is also important that you know the Burp Suite basics, but also the Burp Suite Repeater extension.
Despite not covering all the OWASP’s vulnerabilities, we will cover Injection, Broken Authentication, Sensitive Data Exposure, Broken Access Control, and Cross-Site Scripting (XSS).
What I have learnt today?
Task 1: Open for business
Let’s get ready:
Questions
- Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.
No answer needed
- Once the machine has loaded, access it by copying and pasting its IP into your browser; if you’re using the browser-based machine, paste the machines IP into a browser on that machine.
No answer needed
We have deployed the Virtual Machine (the one attached to the Browser via TryHackMe or your own Virtual Machine via OpenVPN), the machine has loaded, and we are on the main page of the machine:
Task 2: Let’s go on an adventure
Before doing anything, set Burp Intercept mode to off and browse around the site. Not only this would let you familiarise yourself with it, but Burp will also log all the requests made. This is a form of reconnaissance.
Now, not only do we know the structure of the website, but we have found some folders, files, and more.
Questions
- What’s the Administrator’s email address?
admin@juice-sh.op
The website doesn’t have any discerning way to find the admin’s email, but there are items on the shop that have reviews. If we click on the Apple Juice item, we can see it:
- What parameter is used for searching?
q
The magnifying glass on the top right banner, next to the Account and Language switcher, pops out a search bar. If you search for something, the URL will include the term you searched for in a pair key-value fashion. The term is the value, and the key is q.
- What show does Jim reference in his review?
Star Trek
Jim made a review on the Green Smoothie:
He talks about a replicator. If we Google it, we will get results pointing out that is a machine we could see in the TV series Star Trek (100% recommended by the way).
Task 3: Inject the juice
Ok, time for real fun.
We are going to focus on injection vulnerabilities. This type of vulnerability is quite dangerous, as it can potentially cause loss and manipulation of data. The first thing we need to do is identify injection points within a web application.
There are many types of injection attacks, such as SQL Injection, Command injection and Email injection.
But today, we will be using the first one: SQL Injection. Put your hood and sunglasses on, turn off the light and let’s hack!
Questions
- Log into the administrator account!
32a5e0f21372bcc1000a6088b93b458e41f0e02a
Navigate to the login page, enter some random username and password, turn the Intercept on, and submit it. Make sure the Intercept is on, as we need to capture the request!
Right-click it and sent it to the Repeater to put this request aside, and drop the rest.
Change the email content to: ‘ or 1=1;–.
The character ‘ will close the brackets, while the 1=1, as is always true, will tell the server that the email is valid and that should log us in with the first user in the database, which happens to be the admin account. The characters — are used in SQL to comment on the code, ignoring anything that comes after that (for example, restrictions).
The code tells the server that it should return a user if the email is ” (no email sent) OR 1=1. As 1=1 is always true, it will return a user.
We can see in the response that it returns the admin user. Let’s try the ‘ or 1=1;– thing on the website login.
We logged in as admin!
- Log into the Bender account!
fb364762a3c102b2db932069c0e6b78e738d4066
Now we have to try to log in with the user bender@juice-sh.op. With the login request captured in the Intruder, let’s try to modify the request to log in again:
The response says Invalid email or password. We know the email is correct but we don’t know what the password is! Luckily, we don’t need it to know, as we know we can manipulate the SQL code:
I have changed the email value to bender@juice-sh.op’;– . We don’t need the OR 1=1; we know that the user exists. What we are doing with the comment code (—) is telling the server to “Return a user if the email is bender@juice-sh.op”, ignoring the “… and the password is XXXX”.
With the comment, we are ignoring the password bit, and requesting for a user with a specific email.
Normal query:
Return me the user with the email XXXX and the password YYY.
Commented query:
Return me the user with the email XXXX and the password YYY.
I hope it is pretty clear.
If we try to log in as bender@juice-sh.op;– and any random password, we are logged in again!
Task 4: Who broke my lock?
We are going to exploit the authentication system through different flaws. Flaws may include:
- Weak passwords in high privileged accounts.
- Forgotten password pages.
More information at Broken Authentication.
- Bruteforce the Administrator account’s password!
c2110d06dc6f81c67cd8099ff0ba601241f1ac0e
We have used SQL injection to log in as an administrator, but we still don’t know the password. As we know one thing (the admin’s email), we can brute-force our way to find out the password!.
Send a login request (the one that we have in Intruder, for example) to Intruder.
Clear all positions, select the password and click on Add §. This will point out where the payload should be. Now, on the email field, add the admin’s email admin@juice-sh.op.
Use the best1050.txt as payload (It can be installed with apt-get install seclists), and start the attack.
A 401 Unauthorized request is a failed one, but the one that returns a 200 OK response is a successful request.
- Reset Jim’s password!
094fbc9b48e525150ba97d05b942bbf114987257
Let’s try to reset Jim’s password. Go to the Forgot Password page, and introduce Jim’s email. The Security Question is
In the Forgot Password page, Your eldest siblings middle name? is the Security Question.
If you remember, in Task 2, we found that Jim loves Star Trek. If we Google “Jim Star Trek”, we can find James T Kirk’s Wikipedia page, and a list of his family:
Samuel is his brother, and his middle name is Samuel. Let’s put that as the answer to the Security Question.
Now Jim has lost his account. Bad luck!
Yes, this task may seem a bit kooky, but it points out a common mistake. If you use easy-to-find Security Questions, a 2-minute Google search can destroy all the security you tried to implement.
Instead of some random guy from a series from the 80s, the Security Question may ask for your mother’s name or your dog’s. We have Instagram, Facebook, Twitter, etc at our grasp, and we can find out your mother’s or dog’s name, as people upload all their life to the Internet for Internet points. Don’t do it. Instead, let the user write their own Security and Answer Question.
Task 5: Ah! Don’t look!
A web application should store and transmit data safely and securely. But sometimes this doesn’t happen, making the website vulnerable.
And also, sometimes data protection is applied, but not consistently, making certain data accessible to the public. Other times, information is leaked to the public, making the web application vulnerable to an attack.
- Access the Confidential document
edf9281222395a1c5fee9b89e32175f1ccf50c5b
Navigate to the About Us page and hover over the green text
On the bottom-left of the screen, you can see that the green text links to …/ftp/legal.md. Navigating to the /ftp/ directory reveals data exposed to the public!
Now, we can download ANY file. For solving this challenge, download the acquisitions.md file and open it.
- Log into MC SafeSearch’s account
66bdcffad9e698fd534003fbb3cc7e2b7b55d7f0
The rapper guy says that his password is Mr. Noodles but replacing Some vowels into zeros. The password then, is Mr. N00dles. Just log in with his password (mind the empty space!).
- Download the Backup file!
bfc1e6b4a16579e85e06fee4c36ff8c02fb13795
If we go back to the ftp folder and try to download package.json.bak we are met with an error: Only .md and .pdf files are allowed!
Enter the character bypass Poison Null Byte.
A Poison Null Byte is a Null terminator: This string tells the server to terminate at all points, nulling the rest of the string, and then ignoring the restriction.
A Poison Null Byte looks like this: %00, but if we add it at the end of the URL it won’t work. We need to use %2500, as the HTML form URL encodes the file name to %2500, and PHP decodes it again to %00. It gets decoded not once, but twice.
%25 is the encoding for %.
The server checks that the file requested ends in .md, and it does! But little it knows that we are sending the equivalent of “Ignore everything to the right of %2500” with our Poison Null Byte.
Task 6: Who’s flying this thing?
We can categorise Broken access control exploits or bugs into one of two types:
- Horizontal privilege escalation: When a user can perform an action or access data of another user with the same level of permissions.
- Vertical privilege escalation: When a user can perform an action or access data of another user with a higher level of permissions.
- Access the administration panel
946a799363226a24822008503f5d1324536629a0
Open the Debugger/Sources section of your Web Developers tools browser. Then, refresh the main page and look for a JS file called main-es2015.js.
Let’s open the http://WEBSITE/main-es2015.js file and search for admin:
One stands out:
This points out that there is a page called /administration. Let’s have a look.
We do and we are kicked out. For a second we can see a Warning, but then we are redirected to the main page. Let’s log in as an admin and try again:
- View another user’s shopping basket!
41b997a36cc33fbe4f0ba018474e19ae5ce52121
While logged as admin, turn on Burp Suite and Intercept. Then, go to Your Basket in the OWASP Juice Shop:
The information comes from GET /rest/basket/1 HTTP/1.1. Let’s change the number 1 to 2 and see what happens:
We can see the basket of the user with UserID 2! We can do this for any user on the website!
- Remove all 5-star reviews
50c97bcce0b895e446d61c83a21df371ac2266ef
Go to the /administration page and remove all the 5-star reviews with our admin-hacked account.
Task 7: Where did that come from?
XSS or Cross-Site Scripting is one of the most common vulnerabilities and it allows us to run JavaScript in web applications. There are three major types of XSS attacks:
- DOM XSS, which uses the HTML environment to execute malicious JavaScript
- Persistent XSS, which loads malicious JavaScript code sent to their database (Imagine a blog post comment with JavaScript embedded).
- Reflected XSS, ran on the client-side end of the web application.
More information: Cross-Site Scripting (XSS).
- Perform a DOM XSS!
9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf
Let’s try the search function: Instead of searching for something, type <iframe src=”javascript:alert(`xss`)”>
As the search isn’t sanitised, we can use JavaScript by writing code in their search bar. Let’s go!
- Perform a persistent XSS
149aa8ce13d7a4a8a931472308e269c94dc5f156
Log in as admin, and navigate to Last Login IP.
![[day_034_last_login_ip.png]]
It stores the client IP from the Last Login. Cool. We have an idea.
Turn Burp’s Intercept on to catch the logout request. Go to the website and log out.
We have captured the request, but instead of forwarding it, let’s add a new header:
We are adding the same code that popped up an alert. Let’s see what happens.
Forward the request, sign back with the admin account and navigate again to the Last Login IP page.
Bingo!
Right now, we are just adding a simple JavaScript code, but imagine we code something that takes all the cookies and sends us the cookies. Mouth-watering, right?
- Perform a reflected XSS
23cefee1527bde039295b2616eeb29e1edc660a0
Login as admin and navigate to Order History.
![[day_034_order_history.png]]
![[day_034_order_history_page.png]]
Click the truck icon, and we will be redirected to the track result page, with an URL like this:
http://website.com/#/track-result?id=5647-f354d654302ab5
Replace the ID with our famous script <iframe src="javascript:alert(`xss`)">
.
Task 8: Exploration
Visit /#/score-board/ section.
- Access the /#/score-board/ page
7efd3174f9dd5baa03a7882027f2824d2f72d86e
I hope you don’t need help with this one.
Summary
This one was pretty close to what a CTF (an easy one) may look.
Yes, they hold your hand during this room, but you see what you expect to see during a CTF attack: Enumeration, SQLi, XSS, using Burp Suite, Brute-force, null byte, etc.
Pretty fun, to be honest!
Stats
From 121.950th to 122.070th. I don’t know why, but well..
Here is also the Skill Matrix:
Resources
Path: Web Fundamentals
Introduction to Web Hacking
Other resources
OWASP’s Top 10 vulnerabilities
Burp Suite basics
SQL Injection
Command injection
Cross-Site Scripting (XSS)
Kali Linux in VirtualBox
Broken Authentication
Poison Null Byte