TryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs. Whether you are an expert or beginner, learn through a virtual room structure to understand theoretical and practical security elements.
One of the room in TryHackMe for beginners to learn basics of Web Application Security is OWASP Juice Shop. It has 8 tasks. I am writing about each of the task and how I approached to complete each of those.
You have to first signup to join any of the room in it. There are few simple steps that you can follow in the Signup page. Next follow the steps in the Welcome room to configure the VPN connectivity.
I have connected using OpenVPN on Kali Linux. Once you connect, the access page will look something like this as shown in the image below.
Once you have got the green ticks against Server Status and Connected fields, you are ready to Deploy your machine.
Now we can join the OWASP Juice Shop room and deploy the machine.
Search for OWASP Juice Shop from the Hacktivities page.
Click on the Join Room button.
Task 1: Connect To Our Network
Click on Deploy.
You will see a message that the machine has started.
The IP of the machine that I deployed is displayed along when it is going to expire also. You have an option to add 1 hour and also Terminate if you complete earlier than expected.
I could access the deployed machine with IP 10.10.87.180 from the Firefox browser.
Click on completed for Task 1 and you get a message that Your answer is correct.
Task 2: Configure Burp(If you haven't already)
TryHackMe have already given a detailed procedure on how to configure Burp and your browser to access the proxy. So I'm not going to repeat the same here.
Once you have configured the Burp just click on completed for this task and let us jump to the Task 3.
Task 3: Walk through the application
This website looks like an eCommerce website which sells fruit juice. There is cart where you can add products and checkout, there is also login portal and also a register page to signup just like any other website these days.
For any website these days we can visit About page to know more about it.
Once we clicked on legal, the address bar revealed it uses ftp for transfer the legal document.
Almost all websites have robots.txt. Even this website has and we could see that the /ftp directory is mentioned here too.
I decided to download the legal document to see if the document reveals any sensitive information.
I didn't understand anything in it. Did you?
Let us come back to the Juice Shop and understand which language or framework is used for developing it.
We can just right click on the webpage and select View Page Source from Firefox browser and try to understand which all languages were used. BTW there is a YouTube link in the source code. I followed it watched it. I felt it was funny. LOL!
It revealed that the application is entirely developed using JavaScript
And more information could be found from the OWASP Juice Shop Project page.
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory.
I tried creating an user account as well just to see what are the user inputs required to create an account and what information of customers they collect.
I was able to create an account and logged in as well. It just asks for email ID, password and a security question.
User Profile page has options to set username and upload picture. As a hacker I feel excited when I see option to upload a file. It just adds up to the attack surface.
Now that I have been exploring the application from some time, I could find the what is the language used to develop, and some basic features that is included in the application. And a fair idea of attack surface that we can use later.
Click on completed against Task 3.
Task 4: Injection
The Objective is clearly mentioned. To login as administrator account using SQL Inject. So I decided to check if the login page gives any error by entering a single quote for email field. And it did give an error. So we can use that escape character and also form a payload that application interprets as a true condition.
So I tried by entering the classic SQLi payload ' OR true-- in the email field and some random characters in the password field .It worked! I have now logged in as an administrator.
Here is the confirmation that I am logged in as admin. Click on Completed against task 4.
Task 5: Broken Authentication
This task will involve looking at exploiting authentication through different logic flaws. When we talk about logic flaws within authentication, we include:
forgotten password mechanisms
exploiting bugs in the authentication process
Objective:
#1 reset Jim's password using the forgotten password mechanism - what was the answer to the secret question?
#2 What is the administrator password?
When we go to the Forgot Password page, we will have to enter the email ID of the user we are trying to reset the password. We still don't know the email ID of Jim. So we have to find a way to exfiltrate credentials. I decided to exfiltrate all user information using SQLi from the search field.
From the image you can see that the address bar don't reveal the whole address andsoma part of the path is hidden. The path /#/search?q= is not vulnerable for SQLi and whatever is passed from the search field appears on the page with search result.
Where as if we open the developer tools and check from the Network tool, the search query is passed along with complete path. that is /rest/product/search?q=
When I clicked on Edit and Resend, it gave me an option to edit the query string. Note that this can be done using Burp repeater as well.
I decided to send a single quote as search query.
The response was success. So we can send our SQL Payloads from here.
The union select 1,database() returned a syntax error but revealed it is a SQL Lite database in the back-end.
Now we had to find the escape sequence and our union select payload to match the fields.
the escape sequence after analyzing the source code for search query, I discovered that ')) would work and along that we had to craft a payload with union select statement that matches the no of fields until it returned us a value.
The payload lemon')) union select 1,1,1,1,1,1,1,sql_lite()-- revealed the version of SQL Lite database.
The payload lemon')) union select 1,1,1,1,1,1,email,password from Users-- revealed the user credentials of all the users registered including that of admin's.
I found Jim's credentials as well.
In order to decrypt the password, we can use the online decrypting tool by visiting site https://www.md5online.org/md5-decrypt.html
To find more information about the user Jim, I logged in with Jim's credentials. But it wasn't fruitful and couldn't find any useful information
From the Source of the main page we had found the path for administration. So it is worth trying to get more information from the administration panel
Logged in using admin's credential.
Navigated to administration panel by entering /administration in the browser address bar.
We can find all the registered user information here
User 2 on the list is Jim and he has made a purchase. We can see an address.
Now that we know Jim's email, we can go back to forgot password page. Once we enter email, the secret question is revealed. We have to find eldest sibling's middle name.
Do a Google search with the available information. I entered Jim + Starfleet (we had found this from the administration page) in the Google search and found a Wiki page on James T. Kirk. In the Wiki page search for the words like brother or sister.
The search revealed the the elder brother's middle name which is Samuel
Back to TryHackMe room. Update the answer for both questions.
Click on submit.
Task 6: Sensitive Data Exposure
When creating an application, it's important to store and transmit sensitive data carefully. In some cases, developer may not correctly protect sensitive data so it would be easy to gain access to personal information. In cases where this is done correctly, this protection isn't applied consistently. This task will involve identifying and extracting sensitive data from the application.
Objective:
#1 Access a confidential document and enter the name of the first file with the extension ".md"
If you remember while doing a walk-through of the application, we had found Legal.md file from the ftp directory of the website. But the legal.md contents didn't make any sense. Let us go back to the ftp directory itself and check if there are any other file which contains sensitive data.
Apart from legal.md there is one more file with .md extension, acquisitions.md. It is a sensitive information from business perspective.
Once the filename is updated, click on submit and it will verify and confirm as correct answer.
Task 7: Broken Access Control
We already know the answer for question #1 It is administration. We had found it for Task 5.
For #2 we have to go the basket and then open the developer tools of browser, under developer tools select storage. Under the session storage change the bid value. Here I have changed it from 2 to 1. Refresh the page.
Click on Completed for #2
To get rid of all 5 star customer feedback, log in back to the Juice Shop as admin using the admin credentials. Navigate to the administration page by entering /administration in the address bar.
Just click on the bin button next to the five star rating to delete it.
Click on completed for #3 in the TryHackMe task.
Task 8: Cross Site Scripting(XSS)
Just to check I had enter 1 as Order ID and it appeared in the address bar of the browser and the search result as well. So we can see that the query payload is being reflected in the search result.
Now to perform a XSS attack, The payload used by me is <iframe %00 src="	javascript:prompt(1)	"%00>
Reflected XSS using Track Order Id field is completed.
Now let us go to the search field.
To check if the query is being reflected, enter 1 in search field and click on search. The 1 is reflected back in the search result.
We can use the same payload again. That is <iframe %00 src="	javascript:prompt(1)	"%00>
The Congratulations message appears for completing all the tasks in the room.
If you want to read more about vulnerabilities, refer to the following resources
Injection: https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection
Broken Authentication: https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication
Sensitive Data Exposure: https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure
Cross Site Scripting(XSS): https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)
Broken Access Control: https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control
OWASP Juice Shop Project: https://owasp.org/www-project-juice-shop/
XSS Payloads: https://github.com/pgaijin66/XSS-Payloads/blob/master/payload.txt
SQLi Payloads: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
I hope this write up was informative for you. Please leave your feedback.
-Srivathsa Dhanvantri
I've recently tried Kapow Vape flavors, and they are amazing!