Hello Readers ! Today I am going to perform the task available at https://tryhackme.com/room/juiceshop
This task is design by the OWASP Foundation for testing you skills to perform web application testing skill in terms of security.
Before perform the tasks you need to create account on TryHackMe.
Signup !
Search the OWASP Juice Shop in "Hactivities".
Select the OWASP Juice Shop ! You can find all 8 tasks below the title.
Are you excited ! I am going to Hack ! this web application ! Let's Do It !
[Task 1] Connect To Our Network
After Successful login there is an Access page on web site. Click it !
For easy access, it is recommended to use "Kali Linux".
Click ! Download My Configuration File
Process to install and connect openvpn in Kali Machine.
Use "sudo opvenvpn /path-to-file/filename.ovpn" .
Now I am successfully connected to perform the tasks.
Hurrey ! I am completed Task 1 !
Here, the IP address " 10.X.X.X" is use to connect OWASP Juice Shop web application. As I am able to connect with private network and there is an Active Machine which is available for me to next 1 Hour.
Note: You can deploy this machine as many times you need but if 1 hour is completed you have to wait 10 minutes to deploy again. Every time IP Address is vary.
[Task 2] Configure Burp(If you haven't already)
In this task there is a complete guide available on same site Click Here ! to know more.
[Task 3] Walk Through The Application
First we have to check the functionality of web application.
Create an account.
Click on the links you can see what the application does(and to identify an attack surface i.e. what parts of the application have functionality that you can attack)
Use the different functionality(e.g. making transactions)
Steps:
1. Discover and observer web application’s functionality to find the attack surface.
2. View page source code.
3. Follow Youtube link → nothing just for fun...!
4. Create an account.
5. Click “Not yet a customer?”
6. User Registration.
-->Email: test@yahoo.com
-->Password: admin
-->Answer The Que: lalala
7. Try to login with created account.
8. Try changing password.
9. Enter required data → It’s very easy to change a password.
Conclusion:
The things I discovered so far:
The site was developed using JavaScript.
SQL Injection (SQLite).
Password is easily changed.
Exposure of data.
[Task 4] Injection
Log in with the administrator's user account using SQL Injection !
1. Try to inject login page
2. Try SQL injection
-->Email: 1' OR 1 = 1 -- -
-->Password: 1
3. It seems like we logged in with admin account
4. Admin email is admin@juice-sh.op
5. Success!!!
[Task 5] Broken Authentication
Reset Jim’s password using the forgotten password mechanism — what was the answer to the secret question?
What is the administrator password?
Steps:
1. We need to find Jim’s credential.
2. I observer while check the site functionality there is search function, but this function cannot be injected.
3. After inspect with BurpSuite network search link function and reload the request → http://10.X.X.X/#/search?q=
4. I found the API url: rest/product/search?q=
5. I follow the URL and I get the result of some data
6. Injection
Using ' (break) the SQL query attack pattern with “( ' )”
http://10.X.X.X/rest/product/search?q='
7. Try to find correct column using multiple union sql queries, finally get a results.
http://10.X.X.X/rest/product/search?q=' )) union select 1,2,3,4--
http://10.X.X.X/rest/product/search?q=' )) union select 1,2,3,4,5--
http://10.X.X.X/rest/product/search?q=' )) union select 1,2,3,4,5,6,7--
http://10.X.X.X/rest/product/search?q=' )) union select 1,2,3,4,5,6,7,8--
Success !!!
8. Now, Try to Enumerate the database.
http://10.X.X.X/rest/product/search?q=' )) union select 1,2,3,4,5,6,7,sqlite_version()--
Here, I can find the sqlite version.
9. http://10.X.X.X/rest/product/search?q=' )) union select 1,2,3,4,5,6,email,password from Users--
I am able to get success to fetch Email and Password from database using sql queries.
Here, Email is: "jim@juice-sh.op" and the password is not in human readable text.
As I am able to get the encoding method of password which is md5 using Hash analyzer.
Now, I am excited to decrypt this password using online md5 decryption Click Here
BOOM !! I got a password of user jim.
10. Now I can find the user administrator and try to decrypt the password.
WOW !!! I found the password of administrator account !
11. But I still can’t reset Jim’s password. Let’s try the other way.
Now, I have Jim's password. Let's try to login with it and enumerate more.
12. Inspect content of the site with ctrl+i (inspect element) with browser sources function.
13. Inspect main.js and search “admin”
Now try to Try http://10.X.X.X/#/administration
14. There’s Recycling Request related under this page.
15. Try to reset Jim’s password.
Here, There is a Hint in this address, let's try to google this address and check what can I get from...!
Let’s try with Star Trek character’s name. Start with searching James T. Kirk and access wikipedia site.
Try reset with “George” or “Peter” and "Aurelan" → But failed.
Try reset with “ Samuel ”.
Now Check and verify with intercept the traffic.
Success !!!!
Finally ! I completed [TASK 5].
[Task 6] Sensitive Data Exposure
Access a confidential document and enter the name of the first file with the extension “.md”
1. Try to Access the file robots.txt in web application http://10.X.X.X/robots.txt
2. Access http://10.X.X.X/ftp/
Here I am able to access the ftp of web application. Now try to download all files and check for any Hint !
After checked all files and folders there is an file acquisitions.md which already mention in task.
3. Download and open “acquisitions.md”
Success !!!
[Task 7] Broken Access Control
Access the administration section of the store — What is the name of the page?
Access someone else’s basket
Get rid of all 5 star customer feedback
Steps:
1. I already found and access administration page in [Task 5].
2. Access the Basket Page
3. Inspect with ctrl+i (web page element) on web browser and check application function.
4. In session storage, edit bid value to 1 to 2 or 3.
5. Reload the page after changing the bid value.
6. Now, Back to administration page, delete 5-star feedback.
Delete the 1st Five Star Rating comment.
Finally !!!!
[Task 8] Cross Site Scripting (XSS)
Carry out reflected XSS using Tracking Orders
Carry out XSS using the Search field?
Steps:
1. Login with any user and Go to Track Orders.
2. Try to put some numbers.
Search working normally.
3. Put “<script>alert('XSS')</script> in the request.
This script work correctly and solve the challenge but still not popup as mention in script "alert".
4. Now we try different script Put “ <iframe src=”javascript:alert(‘xss’)”> " in the search function.
5. Also we can try " http://10.X.X.X/#/track-result?id=<iframe src="javascript:alert('xss')"> " in search function.
BOOM !!!
Finally I completed the [Task 8] ! With this task I completed the whole challenge.
Success !!!!!!!!!!!!!!!!!
Hurreyyyy !!!!!
Finally I completed all challenges !!!!!