TryHackMe – Juice Shop

by Posted on

01 – OPEN FOR BUSINESS

Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.

Once the machine has loaded, access it by copying and pasting its IP into your browser; if you’re using the browser-based machine, paste the machines IP into a browser on that machine.

02 – LET’S GO ON AN ADVENTURE

Before we get into the actual hacking part, it’s good to have a look around. In Burp, set the Intercept mode to off and then browse around the site. This allows Burp to log different requests from the server that may be helpful later.

This is called walking through the application, which is also a form of reconnaissance!

A – What’s the Administrator’s email address?

***in@juice-sh.op likely admin@juice-sh.op

B – What parameter is used for searching?

q

C – What show does Jim reference in his review?

Star Trek

03 – INJECT THE UICE

This task will be focusing on injection vulnerabilities. Injection vulnerabilities are quite dangerous to a company as they can potentially cause downtime and/or loss of data. Identifying injection points within a web application is usually quite simple, as most of them will return an error. There are many types of injection attacks, some of them are:

  • SQL Injection – SQL Injection is when an attacker enters a malicious or malformed query to either retrieve or tamper data from a database. And in some cases, log into accounts.
  • Command Injection – Command Injection is when web applications take input or user-controlled data and run them as system commands. An attacker may tamper with this data to execute their own system commands. This can be seen in applications that perform misconfigured ping tests.
  • Email Injection – Email injection is a security vulnerability that allows malicious users to send email messages without prior authorization by the email server. These occur when the attacker adds extra data to fields, which are not interpreted by the server correctly.

But in our case, we will be using SQL Injection.

A – Log into the administrator account

Clear positions and then define email and password field as payload positions:

Select sqlwordlist.txt as payload set to attempt:

Don’t forget to disable payload encoding:

We get a couple hits but the first one is for: a’ or 3=3—

32a5e0f21372bcc1000a6088b93b458e41f0e02a

B – Log into the Bender account!

Similar to what we did in Question #1, we will now log into Bender’s account! Capture the login request again, but this time we will put: bender@juice-sh.op’– as the email. Now, forward that to the server!

But why don’t we put the 1=1?

Well, as the email address is valid (which will return true), we do not need to force it to be true. Thus we are able to use ‘– to bypass the login system. Note the 1=1 can be used when the email or username is not known or invalid.

fb364762a3c102b2db932069c0e6b78e738d4066

04 – WHO BROKE MY LOCK!?

05 – AH! DON’T LOOK!

06 – WHO’S FLYING THIS THING?

07 – WHERE DID THAT COME FROM?

08 – EXPLORATION

Published by jonartev