I was at a local Cybersecurity meetup that was doing this CTF, I had dipped my toe in this CTF before that but never completed it. I spent that meeting sharing a keyboard with someone, running what SQL Injections I could remember but didn’t get very far. So, I decided to go back and complete this room.
This room is fairly straightforward for the first few steps. If you are using the in browser VM on TryHackMe, no downloading or configuring is needed. You really just need to launch the browser, Burp Suite and turn on Foxy Proxy in Firefox.
I’ll be using the in browser VM for this writeup, fire up your AttackBox and target. Once the AttackBox is ready, open Fire Fox and navigate to the IP Address generated. Poking around on this site gives you some fake items to buy, a login and search bar.
Tasks 1 and 2:
Back on the tasks side of things, task 1 questions are just about reading. Task 2 questions are pretty much handed to you. Look at the photo, find the thing in the photo or literally just copy the answer from the photo. I suggest you still go looking for the information on the OWASP Juice Shop site but examples below.
Also, I’m not much of a Star Trek fan but even I know where Replicators are from. I think this is mostly to make sure you are paying attention.
Task 3:
This is where you start to get into SQL Injection. There is a lot of information about Burp Suite on TryHackMe so I won’t go too far into detail here but go ahead and open it. Click your way to the main page of Burp Suite then head back to your browser. At the top right corner of the OWASP Juice Shop page, you will see the Account button, this will bring you to the sign in page.
On Burp Suite, open the Proxy Tab and make sure Intercept is on.
On Firefox, make sure you turn on FoxyProxy. It’s a little fox head in the top right tool bar. Make sure it is sending to Burp.
While on Firefox, we’re going to enter “a” for the email and “a” for the password. No need to include the quotes. Try to sign in. You should see results in Burp Suite saying “{“email”:”a”,”password”:”a”}” but if you don’t, try hitting the Forward button in Burp Suite until you do.
Let’s inject some SQL! Highlight the email address and replace it with ‘ or 1=1 —
So, what is this? What are we doing with this? This short little string of text is telling the SQL server for this website “Hey, bud. This sign in is totally valid in the same way 1 = 1 is a valid statement.” a poorly set up SQL server may allow this type of injection. Again, I won’t go too far into SQL Injection as there are lots of rooms in TryHackMe to learn this. This will give you the flag for the next question. Which I won’t show you, you gotta do it yourself.
Next, we’re going to sign in as Bender.
You may want to turn off Intercept, refresh the sign in and start the sign in interception process over again. Except this time we are going to change this attempt to {“email”:”[email protected]’ — “,”password”:”a”}
You’ll notice this doesn’t include a 1 = 1 string. This is because we know this email address exists, you only need to use 1 = 1 when forcing an invalid or unknown username. We are just using the ‘ — to bypass the sign in. This should give you the next flag.
Task 4:
Brute Force time! By using different flaws, we will be exploiting authentication methods. Weak passwords on priviledged accounts and forgotten password pages is the main focus of Task 4. SQL Injection got us in but we didn’t get the password. This is where Brute Force comes in, capture another request but let’s right click and send this request to Intruder. On the Positions tab and select Clear § button. Now highlight the password (“a”) and press the Add § button twice.
Click on the Payload tab and click Load to find the best1050.txt word list. You may need to change your working directory when trying to find this file path /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt. Once this is loaded, click the Start Attack button. This will bring up a window with the passwords being attempted, filter by status. 401 is failed, 200 is successful. This may take some time so be patient.
Signing in with this password will give you the next flag.
Next is exploiting the Forgot Password function. Easily answered by find the name of James T. Kirk’s middle brother. So, you know what to do.
Once you found the answer, on the account page, hit Forgot Password and try resetting the password for [email protected]. Use Jim’s brother as the security question and set the password to whatever. That will give you the last flag of task 4.
Task 5:
Transmitting data securely is vital but at times, a devloper may not correctly secure the transmission. It’s not the developer’s fault, it’s not like they woke up that day and decided to commit some sin against cybersecurity. They may not see how they misconfigured something, however we are going to exploit it! Head to the About Us page, hover over the “Check out our boring terms of use…” hyper link and notice it brings up the /ftp/
Navigate to the FTP page. Now, let’s download the acquisitions.md file.
Head back to the main page to collect your flag.
You don’t really need to watch this video, you can but who has time for that? TryHackMe lets you know that the password is Mr. Noodles with the some vowels changed to zeros. Knowing this, let’s sign into [email protected] with this password. Hint: There is a space in the password.
Head back to the FTP page. Try to download the package.json.bak file but you will get a 403 error page because only .PDF and .MD can be downloaded. To get passed this, we will use a character bypass called “Poison Null Byte” by using a URL Encoded Format which is a Null Terminator, by placing a NULL charater in the string, we are telling the sever to terminate at the point given and the rest of the string is null. We will navigate to /ftp/package.json.bak%2500.md to receive this flag.
Task 6:
Admin pages are used to edit, add and remove elements from a page. You would use these when building a website. When Broken Access Control exploits are found, it will be categorised into one of two types. Horizontal and Vertical. Horivontal happens when a user can perform actions or access data of another user with the same permissions. Vertical, when a user can perform these actions of a user with higher permissions.
Let’s open the debugger in Firefox. Open the menu with the 3 lines or Hamburger at the top right, navigate to More Tools > Web Developer Tools or Ctrl+Shift+I then open the Debugger tab. Look for the main-es2015.js under Index. Hit Ctrl+F and find path:administration. This let’s us know that there is a /#/administration page but we won’t be able to log in as a regular user. If only we had already found the admin username and password to get this flag.
Make sure Intercept is turned on in Burp Suite and open up your basket on the OWASP Juice Shop to capture this request. Hit the Forward button until you see GET /rest/basket/1 HTTP/1.1 and now, we are going to change basket/1 to basket/2. Hit forward until you get the flag.
Turn off Intercept and head back to the /#/administrator page. Delete the customer review with 5 stars, scroll back up to the top for this flag.
Task 7:
XSS or Cross-Site Scripting. Thanks to being a gamer of the 2000s, I always think about SSX Tricky when XSS comes up. Anyhow, this vulnerability allows attackers to run javascript in web applications. This is a very common bug and their complexity varies depending on the use on each application. For this we will use an iframe in the search bar, enter <iframe src=”javascript:alert(`xss`)”> this will display a popup with the “xss” or whatever you put in the alert portion of the iframe.
This is a Cross-Frame Scripting or XFS which is used to find XSS on web applications. If you can do this, you know to look for DOM elements that are vulnerable. The search bar is looking to the server for related information to your request but without correct input sanitation, we can attack the search function. Click OK to receive this flag.
If you aren’t logged in still, log in as admin and navigate to “Last Login IP” by clicking on the Account button at the top of the page. Open Privacy & Security.
Make sure to turn on Intercept in Burp Suite then log out. Open the Headers tab where we will be adding the new header to True-Client-IP. Forward the request to the server. Sign back into the admin account and navigate to the Last Login IP page. We will get the XSS message again. Sending this header is similar to the X-Forwarded-For header, both tell the server what the IP of the client is. Seeing as how there is no sanitation in the header, we can use an XSS attack.
Next, we will be heading to the Order History page.
Click on the Truck icon, bringing you to the track results page. This will give you an ID paired to an order. In the URL bar, replace the tracker ID of the URL with <iframe src=”javascript:alert(`xss`)”> and submit. Nothing will happen until you refresh the page. Click OK on the popup to get your flag.
Task 8:
This last flag is easy, head to /#/score-board and this will give you the last flag. However, this does show you the scoreboard with more optional to find items.
Thanks for reading this writeup, please let me know if you have any questions or comments and best of luck in this room.