OWASP Juice Shop – Intro & Trivial Challenges

I recently got told about the OWASP Juice Shop. This is the latest offering from OWASP in terms of vulnerable web apps. Previous versions being things like DVWA – Damn Vulnerable Web App.

What I like about Juice Shop, is that it can be hosted on heroku and therefore accessible to anywhere. Sure other people can look at it, but is there too much danger there?

The site has a range of vulnerabilities that work through the OWASP Top 10 (and probably more).

Now you might ask, why am I writing a blog on this, there must be thousands of walkthroughs for it? Well there are, there is even an official walkthrough, which is free and hosted on gitbooks.io here: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/

I am doing this, because well why the fuck not. I might as well write up my adventures!

So, the first thing I learnt, is that the site is cookie based. This is interesting and means clearing your cookies starts you over again, so this is exactly what I’m going to do, and try to do each challenge one by one.

In the setup guide, it lets you know there is a scoreboard which lists the challenges. This seems useful so this will be my first stop!

I’m going to do all my work in firefox, within a kali VM. I don’t know what tools i’ll need, but best to start in a position where everything is available!

The ScoreBoard

Now, the site is java script. It’s in the set up instructions. So my first bet, is that there will be some JS modules I can look at. However, this wasn’t my first thought. I thought it might be something pretty straightforward, so I used dirb to try and find more on the site.

dirb http://yekki-juiceshop.herokuapp.com /usr/share/dirb/wordlists/big.txt

I got some pretty good results, which I have no doubt we will come back to. However nothing about scoreboard!

So after that, I realised that the page is java-script. So therefore there must be something I can read to get a look at how the website works.

In firefox, I right clicked and went to Inspect. This bought up the Inspector toolbar thing. I had a look through here, I found a nice youtube link under the cookie section. However other than style sheets, I didn’t find a huge amount more than that.

So I went across to the Debugger tab. Here we go.

These are something we can look at. Clicking on main just gives us 1 long line of javascript. No way we can go through that.

This is when I remembered, someone at work mentioned a way to make javascript more beautiful, so I headed over to: https://beautifier.io

This makes it all a lot more readable. scrolling through, there seems to be an interesting list of paths.

This is great, however look at that top one. That’s a good one. Anything like admin/administrator/administration is always worth checking out.

This shows all registered users, some reviews and recycling requests. Oh look at that, we also completed a challenge. That’s cool!

Now to check out the score-board page!

Heading over to http://yekki-juiceshop.herokuapp.com/#/score-board brings up the scoreboard. Look at that, another challenge done and the scoreboard is shown in the top of the page!

Ok, first 2 challenges complete!

Now we have a list! This is useful, so what I’ll do. Is create a header for each and go through in order!

Trivial Challenges

Admin Section

Well we completed this earlier. That list of paths included it. Nice and easy!

Confidential Document

So earlier, our dirb found a /ftp/ directory. I think a confidential document will be in there. Lets go have a look.

Oooh, lots of documents:

The PDF is from an order I created earlier. That’s good to know they get saved here where we can see them later. However that’s not going to be a restricted file. I feel eastere.gg is a good one!

Oh 403 Error: only .md and .pdf files are allowed. How the fuck do we get round this?

Ok, so we can open any .pdfs and .md’s. That’s cool. Turns out currently, we don’t need to get round this! We just need to open a confidential document and acquisitions.md is confidential! It even says so as it’s title! Great news, that’s another tick!

Error Handling

I’m not sure how I completed this challenge. I just clicked on a link and it appeared. So just click around and see what makes it pop.

Redirects Tier 1

So, somewhere something performs a redirect. Might be worth going back to our main.js and doing any searches for redirect.

There are a few, most look to be for payment methods e.g bitcoin takes you to blockchain.info.

I guess we click on each and see what happens. Nope, they are all legit ways to donate to the project.

So there are other javascript parts there. How about we look at the others. Vendor.js could have information about redirects, possibly to do with payment plans?

Back to our javascript beautifier to make it readable. Then lets look for any redirects. There are loads, it looks useful but unfortunately not for right now.

I had missed the important one, under the main.js there was function yn(1) which redirects to gratipay.com. Putting this in the browser “https://yekki-juiceshop.herokuapp.com/redirect?to=https://gratipay.com/juice-shop” takes you to a 404 page, and gives that achievement.

Score Board

Well here we are. Full explanation above!

XXS Tier 0 & XXS Tier 1

This is a reflected XXS attack with an iframe. I honestly had no idea about the XXS types, or really what they did, so I went to google and found the page on owasp. Seems a good place to start.

Turns out reflected XXS is where injected script is reflected off the web server. Such as an error message, search result etc.

Looking into it further, it looks if we run a “script” for example <script>alert(Hello)</script> somewhere that there is a command being run, this should count. So lets try it, what we need first, is to find a place where the url will have a ?<field>=Answer.

Ahah, got one! If we do a search, the URL becomes “http://yekki-juiceshop.herokuapp.com/#/search?q=hello”

This is exactly what we are looking for. So if we change the “hello” to “<script>alert(Hello)</script>” lets see what happens.

Nothing, ok. Just comes back with no results. I’m sure you’ve seen the most basic mistake here. We are using HTML tags, not Javascript.

So the similar is javascript will use an iframe. The clues were on the scoreboard.

So we need to tweak our script to be:

<iframe src%3D”javascript:alert(‘Hello’)”>

Ah look at that!

Now, this appears in my version to have been a success for XXS Tier 1, which is a DOM based XXS attack.

So again, lets go back to OWASP, what the heck is a DOM XXS?

Well, it’s when the attack payload is executed as a result of modifying the DOM “environment” in the victims browser used by the original client side script.

So I wonder if, because we put it in the URL directly, it was only DOM (document object module) based.

To get the reflected, we need to make a request to the server right? How about doing the same thing, but in the search bar!

Well it creates an empty iframe frame, if you were. So bugger. That’s not it either!

I feel that these have been given to me in the wrong order. I feel that adding the URL is a reflected attack, as it calls that page from the server directly.

So, with that in mind, lets carry on trying to get the DOM XXS. We need to know what happens on the javascript page, is there an easy way to tweak something client side.

Lets go back to our Inspector. On the right, there are “rules”, What if we change some of those? I changed height to 50% and it changed on screen, but nothing else. So that’s not it!

Back to the reading, how does one perform a DOM XXS? What we need to work out, is how does the javascript work with user input?

Good question, lets go to burp and intercept that request. So I’ve got firefox proxying through Burp and Interceptor On.

I’ve done a search for “Read This Blog”, lets see what happens.

We see a GET request, using the API of /rest/product/search

I’ll send this to repeater and we can use this later. However you’ll notice, it doesn’t say “Read This Blog” anywhere in it.

What we can try though, is changing the GET request, to include our javascript.

That did nothing.

Maybe we are looking at this wrong. The search form, does a search on the database? Maybe.

Does anything add or change anything in that database? Let’s hunt around further in the pages.

If we click on a product when logged in, there is a reviews part. What if we try our malicious code in there? Nope, that just prints it out as text.

All we need to find, is somewhere else that does a search or an input of some sort.

All the above was nonsense. For the reflected XXS we needed to get something off the server, so looking around for somewhere you can make requests, I found when logged in under the User there is a “track orders” option.

This gives a input box, which then requests information from the server. Perfect, this is the exact definition of a reflected XSS attack.

If we put in our code as above <iframe src%3D”javascript:alert(‘Hello’)”> we should get an iframe back.

Perfect, we get the score up on that board!

Zero Stars

So we need to give a review 0 stars. Lets first look at how to give a review. If we view a product we can review it. however it doesn’t have any stars, so doesn’t seem right.

The customer feedback form seems better, it has stars. Lets fill in the basics comment of “0 stars”, then lets just leave no stars clicked. Complete the captha. Ok we can’t submit feedback without a rating. Lets give it a 1, and we will catch the process in Burp and see what it’s doing.

Oh look at that last part. I’m UserID = 14 (I wonder who 1-13 are. Admin user maybe?) The captcha has an ID and result. There is the comment of 0 stars that we entered and bingo, a rating!

What if we change this rating to a 5. Lets see if the review reflects that on the page. (Sure I could change it to 0, but if that doesn’t work, I’ve learnt nothing)

Ok, result “Thank you for your feedback and your 5-star rating”

If we go back to the administration page. It also shows up there!

Look at that. User 14, our comment of 0 stars with 5 stars next to it.

Ok I wonder if we can delete that. It could be useful. Yes we can. That’s gone.

So lets try again, this time, if we change the rating to 0.

Hooray, the green banner of success! Nice and easy to finish off the trivial challenges.

Nmap Flags

Now, Nmap the go to tool for every reconnaissance. It’s likely even if you don’t know much about pentesting, or networking you are likely to have either seen or heard of nmap. It appears in lots of films, including the matrix and mostly any hacking film. They even have a list on their website for spotting (https://nmap.org/movies/)

So, what does nmap do? Well it’s a port scanner. You tell it which flags you want and what single or range of IPs you want to check and it cleverly goes off and tries to create a connection with each of those ports. It then comes back with 1 of 3 answers:

1 – Open – An application on that port is listening for connections/packets

2 – Filtered – Something like a firewall or network obstacle is blocking the port, so nmap can’t tell if the port is open or closed

3 – Closed – No application currently listening on this port

When doing an nmap scan, we are generally interested in the open ports. The open ports could be anything, there are standard ports that things run on, e.g port 22 for ssh, port 80 for HTTP, port 443 for HTTPS, 20/21 for FTP, 23 for telnet, 25 for SMTP etc etc)

However, these can always be changed, good practice for example is to change your ssh port to a high number so it will be brute forced a lot less when connected to the internet (if you have a droplet that you ssh into for example)

So, the syntax to start nmap is:

nmap <flags> <ip address>

So a very simple scan would be nmap -sV 127.0.0.1

The flags all do different things, for various reasons and depending on what you are scanning and what you want to find out!

What I’ll do is a few different ones and show some examples of outputs (using juicebox from OWASP). Flags can be combined, so although this currently is a list, further down there are expressions that I’d be more likely to put together.

There is a good nmap cheat sheet which I like, which is: https://blogs.sans.org/pen-testing/files/2013/10/NMap_5120x2880.png

Basic Flags that I use regularly:

-sP – Ping sweep. If you are scanning a whole IP range, this lets you know which hosts are online on which IPs.

-sS – TCP SYN Scan. This means it will scan ports that operate over TCP (rather than UDP) using a SYN packet, this is the initiator of the three-way handshake that happens when TCP connects. If it receives a ACK then the port is open.

-sU – Scan all UDP ports. Similar to above, however there is no three-way handshake, data just gets returned.

-sV – Looks further into open ports to try and determine the service & any version info (e.g port 80 apache httpd v2.4.37)

-p 1 – 65535 – This runs a scan on the amount of ports you want. Nmap generally only scans the most popular 1,000 ports. So if you want to scan higher ports, you need to put in the “p” flag and port numbers.

-v – This is the verbosity level of the output. Ranges from -v to -vvv depending on the level of output you want to see

-O – Enables OS detection. Will try to work out what OS the host is using.

-oN – This outputs the results into a text file. You need to give it the path to save the files in.

-T4 / T5 – Sets the timing for scanning. The higher the number between 0-5 means it’s faster, however it’s also less accurate. T4 is the default

So a regular scan that I would do, for example on HackTheBox would be:

nmap -sS -sV -T4 -O -oN hackthebox/<boxname>/nmap.txt <IP Address>

Once that has completed and I have some things to look at, I’ll usually do a more in-depth scan, as HTB is there to trip you up.

nmap -sS -sV -T4 -O -p 1 – 65535 -O -oN hackthebox/<boxname>/nmap-full.txt <IP Address>

Then if I think there might be any UDP, i’ll do a UDP scan.

nmap -sU -oN hackthebox/<boxname>/nmap-UDP.txt

It’s worth pointing out that some of the flags can’t be used together, for example doing different scan techniques (e.g -sS -sA).

Now this will get you started, and bring back some ports, versions, operating systems. This then lets you do further enumeration and looking into various exploits.

Nmap is however vastly more powerful than just a port scanner. It also has a range of scripts that do all sorts of things.

The list of scripts is kept within: /usr/share/nmap/scripts.

These scripts allow for various further enumeration and in some cases brute force via the nmap platform.

TMux

So one of the most useful tools I’ve found so far for Linux is called Tmux

I saw this watching ippsec’s youtube videos for HTB (hack the box). It’s great, it allows multiple windows within an ssh session, you can split screen and do other cool things. It’s well worth watching the ippsec videos, they can be found here: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA

He goes through all the retired HTB boxes and I always pick up a hint or two or see something in an entirely new light. They can be long >1hr but it is well worth it.

As a note, most of these notes are taken from: https://gist.github.com/henrik/1967800 which is another good guide (I just keep loosing the link) So TMUX. First off, quick download: apt install tmux Once installed we need to go into tmux: tmux You should then get a screen like:

Tmux initial view

Ok, so far not too impressive.

To use Tmux you need to do:

Ctrl + b then the tmux command

So the basics:

New Window: Ctrl + b + c

Rename Window: Ctrl + b + ,

Next Window: Ctrl + b + n

What this then lets you have is like this, with the ability to scroll through then using Ctrl + b +n which is dead easy

Yes i’m scanning localhost! Just for an example!

If you have loads of tabs open and you want a specific one you can:

Jump to Window: Ctrl + b + [Num]

If you put in 0 it would jump to the OpenVPN screen, 1 for bash etc

List all Sessions: Ctrl + b + w

You can then use up/down arrows and Enter to select the window you want

What is really awesome, is split screen. This creates a split screen within your current window (e.g 5: SearchSploit)

Verticle Split: Ctrl + b + %

Horizontal Split: Ctrl + b + “

You can do more than 1 split per “window”.

Move Active Split: Ctrl + b + arrow (left/right/up/down)

To close any of the splits, just type exit on the one you want to get rid of.

Close Splits: Exit

If you want to pop a split out to it’s own pane:

Ctrl +b + !

If you then want to re-join it, you need to pane ID to join it to and if you want it to be horizontal or vertical

Ctrl + b + :join-pane -t <pane ID> <-h/-v>

If you need to move any tabs, you can re-order them all:

Re-order tabs: Ctrl + b + . + number to move to

You can only move to a free number though!

If you have too many windows open and want to close one:

Close windows: Ctrl + b + x

A confirmation will appear, click y (default is N)

There are loads more options, some maybe not so useful,

Giant Clock: Ctrl + b + t

But for help, or all the commands you can always do:

Shortcuts: Ctrl + b + ?

If you have split the screen but then need to make it full screen, say you got a reverse shell it’s easy to move it to a new pane:

New Pane: Ctrl + b + !

So there you have it, a few useful commands to start you on your way to using TMux. I haven’t learnt about attaching/detaching windows, but once I do, i’ll write and update for all I find out.

With all my blogs, here are the commands with no chatter inbetween:

  • New Window: Ctrl + b + c
  • Rename Window: Ctrl + b + ,
  • Next Window: Ctrl + b + n
  • Jump to Window: Ctrl + b + [Num]
  • List all Sessions: Ctrl + b + w
  • Verticle Split: Ctrl + b + %
  • Horizontal Split: Ctrl + b + “
  • Pop Out Pane: Ctrl +b + !
  • Move a Pane to a Split: Ctrl + b + :join-pane -t <pane ID> <-h/-v>
  • Move Active Split: Ctrl + b + [arrow] (left/right/up/down)
  • Close Splits: Exit
  • Move Pane: Ctrl + b + !
  • Re-order tabs: Ctrl + b + . + [number to move to]
  • Close/kill windows: Ctrl + b + x
  • Giant Clock: Ctrl + b + t
  • Shortcuts: Ctrl + b + ?

Welcome!

Welcome to my Blog

A very quick part of who I am and why I’m doing this.

My name is Phil, I go by Yekki. I am currently meandering my way towards infosec.

This blog is mostly an area for me to brain dump all my ideas and things I learn. I watch videos, do reading, practise things, then 2 weeks later have forgotten all of them and need to re-look up that cheat sheet or video.

Instead I’m now going to write useful stuff out and try to keep a log/blog to help me and anyone else who is interested in pen testing and hopefully useful resources.