Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Login Admin
  • Admin Section
  • Security Policy
  • Deprecated Interface
  • Five-Star Feedback
  • Login MC SafeSearch
  • Meta Geo Stalking
  • Password Strength
  • Reflected XSS
  • View Basket
  • Visual Geo Stalking
  • Weird Crypto
  1. Capture the Flag
  2. OWASP Juice Shop

Level 2 - Challenges

PreviousLevel 1 - ChallengesNextTryHackMe Rooms

Last updated 2 years ago

Login Admin

We know from the Level 1 challenges - Error Handling, that the login site is vulnerable to injection attacks. One of the simplest login bypass injection I know is ' or 1=1;--

This works because there is no input validation in place. At the back end SQL server the login query could look something like this.

SELECT id FROM users WHERE username = '$username' and password = '$passwd';

Now, if we input our payload, the query will look like this.

SELECT id FROM users WHERE username = '' or 1=1;--' and password = '$passwd';

As we can see, the WHERE statement will now look for users with no user name OR True. This will evaluate to True which means that the first entry of the database will be returned. Which happens to be the admin account.

We can grab the email of the admin user from the profile page: admin@juice-sh.op

Admin Section

When logged in as the administrator we can simply access the admin page here:

On the administration page we can grab all the user emails.

  • admin@juice-sh.op

  • jim@juice-sh.op

  • bender@juice-sh.op

  • bjoern.kimminich@gmail.com

  • ciso@juice-sh.op

  • support@juice-sh.op

  • morty@juice-sh.op

  • mc.safesearch@juice-sh.op

  • J12934@juice-sh.op

  • wurstbrot@juice-sh.op

  • amy@juice-sh.op

  • bjoern@juice-sh.op

  • bjoern@owasp.org

  • accountant@juice-sh.op

  • uvogin@juice-sh.op demo

  • john@juice-sh.op

  • emma@juice-sh.op

  • stan@juice-sh.op

jim@juice-sh.op bender@juice-sh.op bjoern.kimminich@gmail.com ciso@juice-sh.op support@juice-sh.op morty@juice-sh.op mc.safesearch@juice-sh.op J12934@juice-sh.op wurstbrot@juice-sh.opamy@juice-sh.op bjoern@juice-sh.op bjoern@owasp.org accountant@juice-sh.op uvogin@juice-sh.op demo john@juice-sh.op emma@juice-sh.op stan@juice-sh.op

Security Policy

Some companies has a security.txt file availbale on their website. From the RFC we read the following:

"When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure practices to make it easier for researchers to report vulnerabilities."

Deprecated Interface

Again lets start by searching through the main.js. If we search for B2B, we find the following two code snippets. This tells us that XML files was once "allowed" but now only .pdf and .zip files are expected. We also see that this is in ralation to the complaint-form.

[
'ng2FileSelect',
'',
'id',
'file',
'type',
'file',
'accept',
'.pdf,.zip',
'aria-label',
'Input area for uploading a single invoice PDF or XML B2B order file or a ZIP archive containing multiple invoices or orders<!---->',
2,
'margin-left',
'10px',
3,
'uploader'
]
[
'id',
'complaint-form',
1,
'form-container'
]

We can therefore just head to the Complaint site and upload an arbritary XML file to solve the challenges.

Five-Star Feedback

As we already found the administration page, this is quite trivial. Just head there and delete the 5-star review.

Login MC SafeSearch

In the lyrics we find the phrase "Mine's my dog, Mr. Noodles. It don't matter if you know 'Cause I was tricky and replaced some vowels with zeroes"

So we can easily guess the password to be Mr. N00dles. The email we already know from the admin page.

Meta Geo Stalking

We know the email of John. If we go to the Photo Wall an download the picture posted by John, we can use the exiftool to extract metadata from the image.

exiftool favorite-hiking-place.png

This reveals the GPS coordinates. If we plug them into Google Mpas, we find that the picture is taken in Daniel Boone National Forest which also happens to be the correct answer.

Password Strength

For this one I intercepted the login POST request in Burp and sent it to Intruder. With a Intruder sniper attack I found the password to be admin123.

Reflected XSS

I've spend a lot of time one this until I realized that it was not sufficient to hit enter but instead you had to refresh the site.

Anyway, you need to place an order, then view it track result. On that page we can do the XSS by adding to payload to the id parameter in the URL. This will do the trick.

localhost:3000/#/track-result?id=<iframe src%3D"javascript:alert(XSS)">

View Basket

Here I used Burp again. Intercept the traffic when clicking "Your Basket" and change the vaule in the get request to another.

Visual Geo Stalking

Here we need to find the answer to Emma's security question "Company you first work for as an adult?". I started by downloading the image from the Photo Wall and tried the exiftool, which didn't work. Then I tried a reverse image search which didn't work either. Finally I looked for any clues in the picture and saw a company name ITsec in one window. That did the trick.

Weird Crypto

I notices that the cookies are base64 encoded. Base64 was one of the accepted answers.

To solve the challenges visit

MC SafeSearch has made a song called "Protect ya Passwordz". The lyrics are found here:

http://localhost:3000/#/administration
http://localhost:3000/security.txt
https://genius.com/Collegehumor-protect-ya-passwordz-lyrics
Change the '1' to e.g. '2'