Review “OWASP Juice Shop v.10.3.1” Walkthough solution on docker

Ploy Thanasornsawan
7 min readMay 13, 2020

--

refer: https://github.com/bkimminich/juice-shop

How to access score-board?
Solution:
localhost:3000/#/score-board

How to check Error Handling on login ?
Solution: SQL injection: put singele quote in both email and password)

Name: Confidential document

Open http://localhost:3000/ftp/acquisitions.md to solve the challenge.

I try to click and download all file to see data inside but some file when click,it redirect to error.So,I try to search about Local File Inclusion(LFI).I found LFI null byte can use both %00 and %2500 but in this case %00 not works.So,I try %2500 and then i can download file

from https://hakin9.org/web-application-penetration-testing-local-file-inclusion-lfi-testing/

i see ‘==’ and the end.I know suddenly it is format of base64
I try decode it via command line and try put result on browser but not work

So, I search multi decode on google because I not know this format and found this website: http://fbcs.bplaced.net/multi_encoder_decoder.html

the result on ROT 5+13 look like human readable.So, I try localhost:3000/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg on browser again and this time pass !!

Okays, I try technique LFI null byte same %%2500 again with coupons_2013.md.bak and package.json.bak for download all files

How to check weird crypto?

After I download file package.json.bak, I can see all library that developer use.So,i try sent library name in Customer Feedback and found it is z85

How to log in as support user?
I notice file in ftp path.It has incident-support.kdbx.I try check format file kbdx on google and found it use with Keepass

“KeePass can generate key files for you, however you can also use any other, already existing file (like JPG image, DOC document, etc.). In order to use an existing file as key file” — from Keepass page

From definition,it means it can use file type image as key for open file.So, i go to About us page on juice shop and try check files one by one

Click open in new tab and then download 6.jpg

Open file incident-support.kbdx,it will pop-up ask for Key File

Now we can see support user in incident-support.kbdx

right clicp on support@juice-sh.op and click ‘edit entry’ and then show password

Try login as support user

Name: DOM XSS
(put <iframe src=”javascript:alert(`xss`)”> in search)

Name: Zero Stars

I inspect html at ‘Submit’ button.I noticed when not select star..button will disable.So, i delete word disable true out and then button turn to be enable and can put Submit without any star score

Name: Login Admin (login both username, password with ‘ or 1=1 — )

Name: Privacy Policy
(After login, click on Account > Privacy & Security > Privacy Policy)

Name: Provacy Policy Inspection
(Find all word that use <span class= “hot”> and then concat all word together to be http://localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility )

How to log in as admin with password?

I try to check ..Can I bruteforce password on localhost via bruteforce in intruder mode on Burpsuit?

This is how to setting proxy to allow on localhost for Burpsuit

Set proxy port to be 8080

Open about:config on browser and Click Accept risk

Search network.proxy.allow and double click on Value to change from false to be true

Try login page with username and password admin,admin
Be sure on Burpsuit is ‘Intercept on’ before hit ‘Log in’ button

Right click on area and select ‘sent to intruder’ and then go to tab ‘intruder’
highlight username and password value and click ‘add’ button

Clone https://github.com/swisskyrepo/PayloadsAllTheThings and put folder PayloadsAllThings in /usr/share/wordlist on kali and then load file in Payload option select Auth_Bypass2.txt

Highligh token value and right click choose ‘sent to decode’

Decode as Base64 to text

Bring password value to check type hash in hash-dentifier and found it is md5

Save password hash into file admin.txt and then use hashcat crack password
hashcat -m 0 -a 0 admin.txt /usr/share/wordlists/rockyou.txt —

Try inspect on network tab and found

from Request URL that we inspect network on chrome browser, we get idea how to sqlmap find table name from owasp juice shop

sqlmap -u “http://localhost:3000/rest/products/search?q=” -D localhost — tables — level=5 — batch

I try to retrieve Users table from sqlmap but it not works

So, I try anotherway. I noticed on browser that i inspect url request.Pattern urls that I saw is localhost/rest/… or localhost/api/… so,i try similar path on postman to see users data.

  1. http://localhost:3000/rest/api/users
    It response back : Error: Unexpected path: /rest/api/users
  2. http://localhost:3000/rest/users
    Error: Unexpected path: /rest/users
  3. http://localhost:3000/api/users
    UnauthorizedError: No Authorization header was found

It means this path works !! It need Authorization token in api.So, I try log in as admin again and check on ‘whoami’ and I saw it use Authorization Bearer Token and this token.We already have since first time try sql injection bruteforce for log in via Burpsuit

Put token admin in Postman API, we will see now we can list all users in juice shop but important data look like to be only email and role ..no password

I try to bruteforce password bender with most common password via burpsuit but not found valid password for login.So,I try sql injection on username use
bender@juice-sh.op’; — and password log in

I try to change password without know current password but it said illegal

How to see view Other basket?

Solution: I login as test@test.com on chrome browser and order Apple

and browser firefox,login as ploy@test.com and open same url.I saw order from test user in my basket

How to see Metrics data usage on server?

For example prometheus, path /metric is default path to see data

How to access log on server?

--

--

Ploy Thanasornsawan
Ploy Thanasornsawan

No responses yet