Easy Challenges
So I have decided to split this into a new blog for each difficulty levels, mostly for ease of me hopping around and trying different challenges.
Now onto something slightly harder!
Basket Access Tier 1
Using an account I already created, I clicked on basket with intercept of Burp on.
The results are shown as:
GET /rest/basket/5 HTTP/1.1 Host: yekki-juiceshop.herokuapp.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://yekki-juiceshop.herokuapp.com/ Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTQsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ5ZWtraUB5ZWtraS55ZWtraSIsInBhc3N3b3JkIjoiNWY0ZGNjM2I1YWE3NjVkNjFkODMyN2RlYjg4MmNmOTkiLCJpc0FkbWluIjpmYWxzZSwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiZGVmYXVsdC5zdmciLCJjcmVhdGVkQXQiOiIyMDE5LTAyLTI2IDEyOjMxOjI3LjI5MyArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDE5LTAyLTI2IDEyOjMxOjI3LjI5MyArMDA6MDAifSwiaWF0IjoxNTUxMTg0Mjk4LCJleHAiOjE1NTEyMDIyOTh9.pxpAffeeWVNoHMPS0lrfqguu1AKaWVbYes204GDImFdF-JDmuXt-lZSmGvvNVCohnsniesUgLi7J_IQwWRI9VID7bs_UgOwJVhUdIHlDagqO48jl2NVRtIDrxX0j5CQ0DIR1u84Vg21szWvll-GUqYNzfFXK269k_TCyDpxMpuc Connection: close Cookie: io=uWkpzcRDzu1s9zzsAAAB; continueCode=wjKRWbLRo7kYz8mjyQ3p9aJEDngB0NV05ev1WwPNxZq64KV2OrMXblog1LEQ; token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTQsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ5ZWtraUB5ZWtraS55ZWtraSIsInBhc3N3b3JkIjoiNWY0ZGNjM2I1YWE3NjVkNjFkODMyN2RlYjg4MmNmOTkiLCJpc0FkbWluIjpmYWxzZSwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiZGVmYXVsdC5zdmciLCJjcmVhdGVkQXQiOiIyMDE5LTAyLTI2IDEyOjMxOjI3LjI5MyArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDE5LTAyLTI2IDEyOjMxOjI3LjI5MyArMDA6MDAifSwiaWF0IjoxNTUxMTg0Mjk4LCJleHAiOjE1NTEyMDIyOTh9.pxpAffeeWVNoHMPS0lrfqguu1AKaWVbYes204GDImFdF-JDmuXt-lZSmGvvNVCohnsniesUgLi7J_IQwWRI9VID7bs_UgOwJVhUdIHlDagqO48jl2NVRtIDrxX0j5CQ0DIR1u84Vg21szWvll-GUqYNzfFXK269k_TCyDpxMpuc If-None-Match: W/"9c-noTugLDgldQoJKiJFrzGD9ROoKE"
Ok interesting, we have the get request at the top, then we have the authorization, cookie and token. Any one of these could alter the basket to view someone elses. To work out which of these it might be. I created a 2nd account, and did the same test.
GET /rest/basket/6 HTTP/1.1 Host: yekki-juiceshop.herokuapp.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://yekki-juiceshop.herokuapp.com/ Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTUsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ5ZWtraTJAeWVra2kueWVra2kiLCJwYXNzd29yZCI6IjVmNGRjYzNiNWFhNzY1ZDYxZDgzMjdkZWI4ODJjZjk5IiwiaXNBZG1pbiI6ZmFsc2UsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6ImRlZmF1bHQuc3ZnIiwiY3JlYXRlZEF0IjoiMjAxOS0wMi0yNiAxMjozNDowNi40ODEgKzAwOjAwIiwidXBkYXRlZEF0IjoiMjAxOS0wMi0yNiAxMjozNDowNi40ODEgKzAwOjAwIn0sImlhdCI6MTU1MTE4NDQ2MywiZXhwIjoxNTUxMjAyNDYzfQ.C3BvkvzfpiYxkmmdAtg6ZGphuTdpsrEqTcH7hP0ADKqnRmpcMpwaO_NkCBLUQnVYNlc7conpc6AKUnPaXJ39MdG4CRAgeJhycjiL1HxI4Hm_Tu_ZQkprFsYu46C0t8auWlxwRvco_I5RQwVZ20J8UO3BAWilEf5YHRdTSKPFJyM Connection: close Cookie: io=b6ksDfg_OvjJbmbWAAAC; continueCode=wjKRWbLRo7kYz8mjyQ3p9aJEDngB0NV05ev1WwPNxZq64KV2OrMXblog1LEQ; token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTUsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ5ZWtraTJAeWVra2kueWVra2kiLCJwYXNzd29yZCI6IjVmNGRjYzNiNWFhNzY1ZDYxZDgzMjdkZWI4ODJjZjk5IiwiaXNBZG1pbiI6ZmFsc2UsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6ImRlZmF1bHQuc3ZnIiwiY3JlYXRlZEF0IjoiMjAxOS0wMi0yNiAxMjozNDowNi40ODEgKzAwOjAwIiwidXBkYXRlZEF0IjoiMjAxOS0wMi0yNiAxMjozNDowNi40ODEgKzAwOjAwIn0sImlhdCI6MTU1MTE4NDQ2MywiZXhwIjoxNTUxMjAyNDYzfQ.C3BvkvzfpiYxkmmdAtg6ZGphuTdpsrEqTcH7hP0ADKqnRmpcMpwaO_NkCBLUQnVYNlc7conpc6AKUnPaXJ39MdG4CRAgeJhycjiL1HxI4Hm_Tu_ZQkprFsYu46C0t8auWlxwRvco_I5RQwVZ20J8UO3BAWilEf5YHRdTSKPFJyM
I stopped almost straight away that a very simple thing is different. The Get request, uses the userID. In the first case it was 5, then 6. Changing that GET request to 2 brings up the basket for user number 2.
Depreciated Interface
Five-Star Feedback
Going into the Administration screen (that we found under trivial challenges above) and using the Delete (trash) symbol next to the 5-star review gave us this achievement.
Login Admin
To log in as the admin, first we need to work out if we have the username. Going to the administration page when logged in brings up the list of users:
Under Payloads, we want to use a simple list, and under the options, use the drop down to select “passwords” click Start Attack and a new windows will appear. Using the filter button, filter out anything that starts with a 4XX error, as this is request error, i.e wrong username and password.
Letting this run, resulted in all passwords being wrong.
Ok, maybe we need a bigger wordlist. Lets try with rockyou. To do this, have a copy of rockyou on your local machine, click “Load…” and select the file. This will look like its crashed so leave it for a while until it’s ready to go.
After a fair few requests and a lot more patience than I usually have. I got a 200 code. Meaning success!
Logged in to double check and the creds work!