Level 2 - Challenges

Login Admin

We know from the Level 1 challenges - Error Handling, that the login site is vulnerable to injection attacks. One of the simplest login bypass injection I know is ' or 1=1;--

This works because there is no input validation in place. At the back end SQL server the login query could look something like this.

SELECT id FROM users WHERE username = '$username' and password = '$passwd';

Now, if we input our payload, the query will look like this.

SELECT id FROM users WHERE username = '' or 1=1;--' and password = '$passwd';

As we can see, the WHERE statement will now look for users with no user name OR True. This will evaluate to True which means that the first entry of the database will be returned. Which happens to be the admin account.

We can grab the email of the admin user from the profile page: [email protected]

Admin Section

When logged in as the administrator we can simply access the admin page here: http://localhost:3000/#/administration

On the administration page we can grab all the user emails.

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected]

• [email protected] demo

• [email protected]

• [email protected]

• [email protected]

[email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]@juice-sh.op [email protected] [email protected] [email protected] [email protected] demo [email protected] [email protected] [email protected]

Security Policy

Some companies has a security.txt file availbale on their website. From the RFC we read the following:

"When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities."

To solve the challenges visit http://localhost:3000/security.txt

Deprecated Interface

Again lets start by searching through the main.js. If we search for B2B, we find the following two code snippets. This tells us that XML files was once "allowed" but now only .pdf and .zip files are expected. We also see that this is in ralation to the complaint-form.

[
'ng2FileSelect',
'',
'id',
'file',
'type',
'file',
'accept',
'.pdf,.zip',
'aria-label',
'Input area for uploading a single invoice PDF or XML B2B order file or a ZIP archive containing multiple invoices or orders<!---->',
2,
'margin-left',
'10px',
3,
'uploader'
]

[
'id',
'complaint-form',
1,
'form-container'
]

We can therefore just head to the Complaint site and upload an arbritary XML file to solve the challenges.

Five-Star Feedback

As we already found the administration page, this is quite trivial. Just head there and delete the 5-star review.

Login MC SafeSearch

MC SafeSearch has made a song called "Protect ya Passwordz". The lyrics are found here: https://genius.com/Collegehumor-protect-ya-passwordz-lyrics

In the lyrics we find the phrase "Mine's my dog, Mr. Noodles. It don't matter if you know 'Cause I was tricky and replaced some vowels with zeroes"

So we can easily guess the password to be Mr. N00dles. The email we already know from the admin page.

Meta Geo Stalking

We know the email of John. If we go to the Photo Wall an download the picture posted by John, we can use the exiftool to extract metadata from the image.

exiftool favorite-hiking-place.png

This reveals the GPS coordinates. If we plug them into Google Mpas, we find that the picture is taken in Daniel Boone National Forest which also happens to be the correct answer.

Password Strength

For this one I intercepted the login POST request in Burp and sent it to Intruder. With a Intruder sniper attack I found the password to be admin123.

Reflected XSS

I've spend a lot of time one this until I realized that it was not sufficient to hit enter but instead you had to refresh the site.

Anyway, you need to place an order, then view it track result. On that page we can do the XSS by adding to payload to the id parameter in the URL. This will do the trick.

localhost:3000/#/track-result?id=<iframe src%3D"javascript:alert(XSS)">

View Basket

Here I used Burp again. Intercept the traffic when clicking "Your Basket" and change the vaule in the get request to another.

Visual Geo Stalking

Here we need to find the answer to Emma's security question "Company you first work for as an adult?". I started by downloading the image from the Photo Wall and tried the exiftool, which didn't work. Then I tried a reverse image search which didn't work either. Finally I looked for any clues in the picture and saw a company name ITsec in one window. That did the trick.

Weird Crypto

I notices that the cookies are base64 encoded. Base64 was one of the accepted answers.