OWASP Juice Shop – TryHackMe
This machine uses the OWASP Juice Shop vulnerable web application to learn how to identify and exploit common web application vulnerabilities.
For this box we are going to use burp suite free edition. Configure the burp suite proxy to work with firefox.
Walk Through The Application
There is a option to register so we register first
email : email@example.com ,password : juice
After registering a new page of profile we can access . we can submit reviews to the application
- we can upload profile pic in profile section.
- the email of the admin is firstname.lastname@example.org
- after we checkout our product we get url of receipt something like this /ftp/order_2c81-15dae2229657bbb7.pdf
In this next part they define this is sql injection, Now we need to find where to inject.
In this we need to login with the admin account so logout and get to the login page. As I tried double quotes are escaped but single quotes are not 🙂
email :- email@example.com’ ; 1=1 #
password :- anything
In this above query we make the login true and just login as a admin
#1 reset jim’s password and answer of the secret question?
so we know the email structures, so jim’s email be firstname.lastname@example.org
found /#/score-board -> here it shows which challenges have been solved.
got nothing there, in hints from owasp we got that jim is a celebrity, after google , i got jim carry and lot of other jims but nothing works, as the password of jim was ncc-1701 searched it on google with jim. waha.
we got our jim now just search for brother on the wiki page,
Got the brother’s middle name -> Samuel
#2 what is administrators password ?
when we logged in as a admin we also got a base64 encoded jwt token in the cookies
after decoding it we get the admin’s password , but it is in hash md5 go to crackstation just paste the hash and get the admin’s password
password :- admin123
Sensitive Data Exposure
Tried accessing robots.txt , here I found showing the folder /ftp/ , its the same folder where the application store those order receipt, opening this in the browser got,
here we can see we found the md file , acquisitions.md
I didn’t find it so easily first, I used dirbuster on the website with different wordlist i got nothing but i was getting this ftp folder again and again, so I checked it.
Broken Access Control
#1Access the administration section of the store – What is the name of the page?
search in the main.js file admin got paths:-
go the admin section -> /#/administration
#2Access someone else’s basket ?
Go to the your basket page as any user , and then inspect element and in memory -> session storage ,-> there is a variable called bid , maybe basket id change it to another users to see other users basket
#3 Get rid of all 5 star customer feedback?
All the feedback’s are showing in admin section delete all 5 stars
Cross site scripting (XSS)
both are reflected xss used with iframes, i just copies some payload from the net on iframe
you can run same code in the both sections.