OWASP JuiceShop
Admin email - [email protected]
Task 4 - Who broke my lock
Task 4 - Question #1: Bruteforce the Administrator account's password
Review over Broken Authentication
We are reviewing weak passwords in high priv accounts
Forgotten password pages
For this section we are using a password list from the best1050 used passwords, this can be obtained by running:
apt-get install seclists
You can load the list from:
Burp Intruder > Positions Payload Marker
Task 4 - Question #2: Reset Jim's password
Here we are essentially going to do some good ol' OSINT on our friend Jim
When we go to our forgot password page, we notice that it provides the information on the user's security questions. For Jim, the security question is "what is the middle name of your eldest sibling".
From one of our previous tasks we find out that Jim enjoys the show Star Trek. So now time for some Googling, Binging, Duck Hunting, whatever suits your fancy.
Task 5 - AH, Don't Look
Task 5 - Question #1: Access the Confidential Document
For this one, direct link associated with the file is of some interests
We view the About Us page, hover over the "terms of use" link, and see the URL goes to an openly available FTP (File Transfer Protocol) server
Here we see a few folders / directories which are now ours for the taking
Task 5 - Question #2: Log into MC SafeSearch's account
Now we are going to do some recon on MC SafeSearch, and it seems that we are provided information by the peeps over at TryHackMe who have kindly linked us the CollegeHumor video associated with this account:
In the video MC Safe Search mentions the format of his password, so now we log ourselves right on in!
Task 5 - Question #3: Download the Backup file
So our goal is to download the .bak file from the FTP directory. However, we are now getting a 403 due to the inability of downloading this certain filetype / extension.
We will use what's called a Poison Null Byte
Poison null byte looks like this %00. Note that we can download it using the url, so we will encode this into a url encoded format.
I used CyberChef to get the URL-Encoded value
Giving us %0025
We then append the URL encoded poisoned null byte to the end of our URL to gain access to the .bak file
Task 6 Who's flying this thing
In this section we are reviewing broken access control. Essentially we are going to try and pivot from a normal user into someone who has privileged permissions. There are two known types of access control, vertical and horizontal.
Vertical Privilege Escalation
Occurs when a user can perform an action or access data of another user with a higher level of permissions.
For more info on broken access controls we can view the official OWASP site
Task 6 - Question #1: Access the administration page
The TryHackMe site tells us to go through and look at a specific Javascript file for "admin".
They look for "app-administration", however this is not the actual value / URL we are wanting to go to.
I ended up searching a little while longer and found the following information:
This is the actual site we will be looking to get access to. So we do the following:
Login to the admin user [email protected]
Go to [box IP]/#/administration
Boomski's you should now have you flag
Task 6 - Question #2: View another user's shopping basket
Check this out now Super Shopper's we are swapping our carts out for someone else's sweet basket of Raspberry Juice!
Essentially we go through and do the following:
Make sure that you are currently intercepting traffic with either Burp or Zap
Top right, click on Basket
Go through and forward your intercepts until you get the following URL
Similar to this image
We can manipulate the number following basket to be another "userid" similar to this image as an example the intercepted request for userid 2 would look like:
Task 6 - Question #3: Remove all 5-star reviews
Go back to the [box ip]/#/administration/ page, and remove the only 5-star review
[Task 7] Where did that come from
There are three major types of XSS attacks:
DOM XSS (Document Object Model-based Cross-site Scripting) uses the HTML environment to execute malicious javascript. This type of attack commonly uses the <script> HTML tag.
Persistent XSS is javascript that is run when the server loads the page containing it. These can occur when the server does not sanitise the user data when it is uploaded to a page. These are commonly found on blog posts.
Reflected XSS is javascript that is run on the client-side end of the web application. These are most commonly found when the server doesn't sanitise search data.
More information: Cross-Site Scripting XSS
Task 7 - Question #1: Perform a DOM XSS
We are going to perform DOM level XSS.
Top right click the search glass
type in:
Press enter, this will give you teh answer
There are several other "methods" for DOM XSS as well, however this specific one did not work for this flag:
You can also attempt to run javascript as URL encoded XSS
Task 7 - Question #2: Perform a persistent XSS
From here we are going to store XSS into the IP Login section of the user profile for admin
Top right, go to Account > Privacy and Security > Last Login IP
We see 0.0.0.0 as the "last login" ip
Turn your intercept on in Burp / Zap
Top right, go to Account > logout
Go to your intercept > headers
Add the new header for:
Forward the request
Sign back into admin
Go to the last IP login
See the XSS alert occur
Task 7 - Question #3: Perform a reflected XSS
Login into the admin account and navigate to the 'Order History' page.
We will use the iframe XSS,
in the place of the order id, for exaple 5267-f73dcd000abcc353
Start by:
Clicking the truck
Cliking "track the order"
Where you see an image tracking your order, we are going to manipulate the URL as the following: 10.10.55.113/#/track-result?id=5267-0252e4000e720f70
I ended up just doing a URL-encoded format for the XSS:
Paste this URL into the bar, and refresh the page and your XSS will appear