Another week done and it’s Friday again!
Time for more THM!
Today we’re back on the Web Hacking Fundamentals for our final couple of modules for this path.
Today we start the OWASP Juice Shop module, in this module we will cover Open for business!, Let’s go on an adventure!, Inject the juice, Who broke my lock?!, AH! Don’t look!, Who’s flying this thing?, Where did that come from? and Exploration!
All of these titles/sections refer to various security vulnerabilities relating to web application security and why OWASP Juice Shop was created!
At the start of this module we are asked to walk the application and find the admin user which has left a review on a product within the shop.
Next we are tasked with logging in to the admin account which is present, we do this by using the a simple SQL Injection technique ” ‘ or 1=1– ” which works and allows us access to the first flag!
Burp Suite Request – Using the ‘Email’ parameter within the POST request we amend this from the username to “‘or 1=1–“.
Shown below is the flag and that the admin account has been accessed.
Admin Flag – 32a5e0f21372bcc1000a6088b93b458e41f0e02a
Next we are asked to login to the ‘bender’ account present on the web application, this is similar to the admin SQL injection however as we are given the username this time we don’t need to use the ‘ or 1=1– as the result for the username will always be true and as the application lacks certain security controls we just use the ” ‘– ” to comment out the rest of the login process which allows use access to the account and the flag!
Bender Flag – fb364762a3c102b2db932069c0e6b78e738d4066
In the next section, we are asked to brute force the admin’s password. We do this by capturing a request for the login portal on the juice shop, we send this request to repeater within Brup Suite and use the ‘§ Section sign’ icon to specify the field which we are going to target (which in this case is the password field) and we use Seclists /Common-Credentials/best1050.txt as the password list on the target.
Brute Force Flag – c2110d06dc6f81c67cd8099ff0ba601241f1ac0e
Following on, the next task is to reset Jim’s password using the password reset mechanic present on the web application (a lot of this web applications data is based on Star Trek) and we see via the password reset function that the security question provides us with the security quest already as shown below –
We find the the answer to the security question is Samuel which allows us to change the password to ‘12345’ and grab the next flag.
Jim’s Password Reset Flag – 094fbc9b48e525150ba97d05b942bbf114987257
The next task we navigate to the /about page section of the website and within the text we find a link to the T&C section of the website.
After accessing this page we find the page is a direct file which appears to not have been protected within a safe manner, http://10.10.207.39/ftp/legal.md shown below is the legal information of the website however we are able to go up a level and access the /ftp/ section of the file structure where we find an array of various file.
We access the acquisitions.md file and get the next flag!
http://10.10.207.39/ftp/acquisitions.md
Confidential Document Flag – edf9281222395a1c5fee9b89e32175f1ccf50c5b
This next section is wild, we need to login to MC SafeSearch’s account, after googling ‘MC SafeSearch’ we find his youtube video about password protection!
Throughout the video we find he makes a reference to his pet dog ‘Mr Noodles’ and in the song he says he replaces the oo’s with 00’s so we will try ‘Mr N00dles’ as the password and we are able to login as MC SafeSearch.
MC SafeSearch Flag – 66bdcffad9e698fd534003fbb3cc7e2b7b55d7f0
Next we will now go back to the http://10.10.207.39/ftp/ folder and try to download package.json.bak. But it seems we are met with a 403 which says that only .md and .pdf files can be downloaded.
To get around this, we will use a character bypass called “Poison Null Byte”. A Poison Null Byte looks like this: %00. As we can download it using the url, we will need to encode this into a url encoded format.
The Poison Null Byte will now look like this: %2500.Adding this and then a .md to the end will bypass the 403 error.
Forgotten Developer Backup Flag -bfc1e6b4a16579e85e06fee4c36ff8c02fb13795
The next section relates to Broken Access Control which is explained below –
Within the source information via the console within the browser we find a path within http://10.10.207.39/main-es2015.js to http://10.10.207.39/#/administration, we login to the admin account again using the SQL Injection and get access to this page.
http://10.10.207.39/#/administration
Admin Section Flag – 946a799363226a24822008503f5d1324536629a0
The next task ask’s us to access the basket for the admin user, we are met with the request for GET /rest/basket/1 HTTP/1.1 and we amend this to /rest/basket/2 and get the flag.
View Basket Flag – 41b997a36cc33fbe4f0ba018474e19ae5ce52121
We remove the 5 star review.
Five-Star Feedback Flag – 50c97bcce0b895e446d61c83a21df371ac2266ef
Cross-Site Scripting section –
DOM XSS – We will be using the iframe element with a javascript alert tag:
<iframe src=”javascript:alert(`xss`)”>
Inputting this into the search bar will trigger the alert as seen below.
Note that we are using iframewhich is a common HTML element found in many web applications, there are others which also produce the same result.
This type of XSS is also called XFS (Cross-Frame Scripting), is one of the most common forms of detecting XSS within web applications.
Websites that allow the user to modify the iframe or other DOM elements will most likely be vulnerable to XSS.
Why does this work?
It is common practice that the search bar will send a request to the server in which it will then send back the related information, but this is where the flaw lies. Without correct input sanitation, we are able to perform an XSS attack against the search bar.
DOM XSS Flag – 9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf
Persistent XSS –
We access the Last Login IP section of the profile of the admin user and we see the VPN IP address for THM and we will now attempt to use Persistent XSS on this page
http://10.10.207.39/#/privacy-security/last-login-ip
We capture the logout request and add a header to the bottom of the request called True-Client-IP with <iframe src=”javascript:alert(`xss`)”> as the header data.
“The True-Client-IPheader is similar to the X-Forwarded-Forheader, both tell the server or proxy what the IP of the client is. Due to there being no sanitation in the header we are able to perform an XSS attack. “
When we log back in to the admin user and access the Last Login IP page we can see that this has worked and we get the flag.
HTTP-Header XSS Flag – 149aa8ce13d7a4a8a931472308e269c94dc5f156
Reflected XSS! –
We login into the admin account and navigate to the ‘Order History’ page, From here we see a “Truck” icon, clicking on that brings us to the track result page.
We also see that there is an id paired with the order.
We will use the iframe XSS, <iframe src=”javascript:alert(`xss`)”>,in the place of the 5267-cfdfcc1a9c94b6c8.
http://10.10.207.39/#/track-result?id=%3Ciframe%20src%3D%22javascript:alert(%60xss%60)%22%3E
Reflected XSS Flag -23cefee1527bde039295b2616eeb29e1edc660a0
Nearing the end of the module now we access the /score-board page and get the final flag for this room.
http://10.10.207.39/#/score-board
Score Board Flag -7efd3174f9dd5baa03a7882027f2824d2f72d86e
Moving forward I will install (again) Juice Shop locally on my machine and proceed with the additional tasks to keep up my web pentesting skills!
Overall, good room with some good examples and practise to be had here, would recommend this module to anyone looking to refresh or learn from scratch web application pentesting!
Until next time & don’t sleepwalk through life!
Lā k̀xn