Information Security

Hacking OWASP’s Juice Shop Pt. 15: Meta Geo Stalking + Weird Crypto

Posted on by codeblue04

Challenge 1: 

Name: Meta Geo Stalking

Description: Determine the answer to John’s security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.

Difficulty: 2 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Challenge 2: 

Name:  Weird Crypto

Description: Inform the shop about an algorithm or library it should definitely not use the way it does.

Difficulty: 2 star

Category: Cryptographic Issues

Expanded Description: https://pwning.owasp-juice.shop/part2/cryptographic-issues.html

Tools used:

Burp, FoxyProxy, ExifTool

Resources used:

Google Maps Support

Hash Analyzer

CrackStation Password Hash Cracker

Methodology: 

Before going to the photo wall, it’s important to know what we’re looking for, so open the “Forgot Password” link and enter John’s email address (which we collected in the “Admin Section” challenge. Alternatively, guess his email address).

Forgot Password Email john@juice-sh.op Security Question What's your favorite place to go hiking? Please provide an ansner to your security question. New Password O Password must be 5-20 characters long. Repeat New Password Show password advice Change o o 0/20 0/20

Hiking, eh? OK. Let’s check the Photo Wall. There’s only one photo of a trail, but to be safe it’s a good idea to check the caption: “I love going hiking here… (© j0hNny)”. This certainly appears to be the right photo, so save it to your system and let’s check out the metadata. ExifTool is a fantastic tool for this type of thing.

I love going hiking here… (© j0hNny)
total 6780 drwxr-xr-x drwxr-xr-x -rw-r--r-- -rw-r--r-- Colbyakali :—/pictures$ Is 2 Colby Colby 34 colby colby 1 Colby Colby 4096 NOV 4096 NOV 666735 NOV 1 colby colby 6264316 oct 1 1 1 27 16:43 12 16:43 favorite-hiking-place.png 21:51 juice.png Colbyakali :-/pictures$ exiftool favorite-hiking-place.png ExifTool Version Number File Name Directory File File File File File File File MIME Size Modification Date/Time Access Date/Time Inode Change Date/Time permissions Type Type Extension Type : 12.08 : favorite-hiking-place.png : 651 kB . 16:43 . rw-r--r . PNG . png Image Width Image Height Bit Depth Color Type Compression Fil ter Interlace Exif Byte Order Resolution Unit Y Cb Cr positioning GPS version ID GPS Latitude Ref GPS Longitude Ref GPS Map Datum Thumbnail Offset Thumbnail Length . image/png : 471 : 627 RGB . Deflate/ Inflate • Adaptive . Noninterlaced : Little-endian (Intel, 11) SRGB Rendering pixels Per Unit pixels Per Unit pixel Units Image Size Megapixels Thumbnail Image act) GPS Latitude GPS Longitude GPS position x . inches : Centered . 2.2.ø.ø . North : West : WGS-84 . 224 : 4531 . Perceptual : 2.2 : 3779 : 3779 : meters : 471X627 : 0.295 : (Binary data 4531 bytes, use -b option to extr : 36 deg 57' : 84 deg 20' : 36 deg 57' 31.38" 53.58" 31.38" w N, 84 deg 20' 53.58" w

Fortunately Johnny isn’t savvy enough to strip exif data from his photos, so after looking up how Google Maps wants coordinates to be formatted, format the string and search.

*For a complicated set of reasons, other recommended formats may place the location in an entirely different area, so use “36°57’31.38″ N 84°20’53.58″ W”

3605781.38' N 84020'53.58" W 3605731.4"N 8402053.6"W 36.958717, -84.348217 Directions Save Nearby Send to your phone Share Scuttlehole Trailhead D London, KY 40744 XM52+FP sawyer, Kentucky Add a missing place Add your business Add a label

Be aware that you’re not just looking for candidate locations simply in the immediate area, so be sure to zoom out and gather more information about the general area.

3605781.38' N 8402053.58" W 3605731.4"N 84020153.6"W 36.958717, -84.348217 Share Meece Poplarville valley Beaver Creek Wildlife Management Area Mt Victory Daniel Boone National Forest Directions Save Nearby Send to your phone D London, KY 40744 XM52+FP sawyer, Kentucky Add a missing place Add your business Add a label Sawyer

Now that we have enough information to build a list of potential locations, go ahead and do that.

Kentucky Sawyer Daniel Boone Daniel Boone National Forest Scuttlebutt Scuttlebutt Trail

At this point, the obvious tool to use would be Burp’s Intruder, but for the sake of variety I’m going to use Repeater.

Dashboard Send Request rv•78 Target Intruder Sequencer Decoder Comparer Extender Project options Response User options "SON web Tokens Logger Params Headers Actions v Pretty Raw I / rest/ user/ reset -password HIT P/ 1.1 Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, 4 Accept o) Gecko,'20100101 Firefox/78 Headers Raw Render Actions y HTTP/I.1 401 unauthorized Access-Cont rol -Allow-Origin: X-Content -Type-options: nosniff X-Frame-options: SAMEORIGIN Feature-policy: payment self' -RateLimit -Limit: 10 -Remaining: 99 Date: sun, 01 Nov 2020 21 Gl•rr -Ratel_imit -Reset: 1604267787 S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate 7 Content -Type: application/ j son Content -Length: Origin: http // I Ocal host 3000 10 Connection: close Referer: http://localhost : 3000/ 12 Cookle: language=en; welcomebanner email " "john@j uice-sh.op' , 'Kentucky answer' 'new" "test12S4" , repeat " "test 1234" status=dismiss, cookieconsent status=dismiss, Content -Type: text 'html; charset=utf-8 Content -Length: a-rag: n,' '22-pKf21LHLRtt7tz87uofxryoVl_/s con Vary: Accept -Encoding Connection: close 14 16%rong answer to security question.

After only a few failed attempts, the correct answer returns an abundance of user information.

Dashboard Request rv•78 Target Intruder epeater Sequencer Decoder Comparer Extender Project options User options ISON web Tokens _Actions Logger++ Target: http://localh• Params Headers Pretty Raw Actions V Response Headers Render Pretty Raw 200 0K POST / rest/ user/ reset -password HIT P/ 1.1 Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, I/ * Accept Accept -Language: en-lJS, en; q=O.S Accept -Encoding: gzip, deflate Content -Type: application/ j son Content -Length: IOS Origin: http://localhost : 3000 Connection: close Referer: http://localhost : 3000/ Cookle: language=en; welcomebanner status=dismiss, o) Gecko,'20100101 Firefox/78 Access-Cont rol -Allow-Origin: 1 X-Content -Type-options: nosniff zVX-Frame-options: SAMEORIGIN Feature-policy: payment self' -RateLimit -Limit: 10 -RateLimit -Remaining: 98 Date: sun, 01 Nov 2020 21 GI•TT x-RateLimit -Reset: 1604268087 12 14 cookieconsent status=dismiss, email " "john@j uice-sh.op" , 'Daniel Boone National answer' 'new" "test12S4" , repeat " "test 1234" Fores Il con 14 16 Content -Type: application/ j son; charset=utf- Content -Length: ass a-rag: A,' 163-DcdDnQccDUEqEnizq8ukJAzotT4" Vary: Accept -Encoding Connection: close "id" : 18, " "j OhNny 'username email " "john@j uice-sh.op' , password " "16d7a4fca7442dda3ad9sc9a726S97e4" , role 'customer' , 'deluxeToken' "last Loginlp '0.0.0.0', profilelmage 'assets/ public/ images/ uploads/ default. "totpSecret' "isActive" :true, svg , createdAt' 'updatedAt " 'deletedAt' 2020-11-OIT17: 31 26 629Z" , 2020-11-OIT21 56: 962Z" , :null
You successfully solved a challenge: Meta Geo Stalking (Determine the answer to John's security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.) x

At this point, the Meta Geo Stalking challenge is complete. There is, however, one piece of very useful information in the response packet: the password hash. It would be the height of foolishness to neglect that hash, as there are tools available to analyze it and tell you what hashing algorithm is in use.

Hash Analyzer Tool to identify hash types. Enter a hash to be identified. 16d7a4fca7442dda3ad93c9a726597e4 Analyze Hash: Hash type: Bit length: Character length: Character type: 16d7a4fca7442dda3ad93c9a726597e4 Not Found MDS or MD4 128 32 hexidecimal

Unsalted MD4 and MD5 hashes are barely speedbumps to cracking passwords at this point in time, and should never be used. But we still have two options (MD4 or MD5), and I’d like to know if the server is responding with John’s new password or his old one, so to save time and effort we can use an online password hash cracker. While hashcat and JohnTheRipper are useful tools, they are more labor intensive than is necessary for one hash. Work smarter, not harder.

CrackSt7tiön Defuse.ca • ckStation Password Hashing Security Defuse Security Free Password Hash Cracker Enter up to 20 non-salted hashes, one per line: 16d7a4fca7442dda3ad93cga726597e4 I'm not a robot recAPTCHA Crack Hashes Supports: LM, NTLM. md2, md4, md5, mos-half, shal, sha224, sha2S6, sha384, sha512. ripeMD160, whirlpool, MySQL QubesV3.13ackupDefauIts Hash d7a4fca7442dda3ad93C%726597e4 Type Result

With such an outdated encryption algorithm in use, now is a good time to inform the shop of their vulnerability and pass the “Weird Crypto” challenge by submitting a customer feedback form containing the algorithm’s name.

Customer Feedback Author - Comment md5 O Max. 160 characters 3/160 Rating CAPTCHA: What is Submit
You successfully solved a challenge: Weird Crypto (Inform the shop about an algorithm or library it should definitely not use the way it does.) X

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet – Meta Geo Stalking

OWASP Mitigation Cheat Sheet – Weird Crypto

  1. Strip EXIF data from your photos before posting them publicly. Most social media companies do this automatically, but it is not safe to assume that every site follows that best practice. If you’re working on a website which interacts with user media, strip unnecessary information from it before placing it somewhere your users can access it.
  2. Use modern, up-to-date hashing algorithms. Passwords stored as md5 hashes are responsible for some of the biggest hacks in the last decade.

Lessons Learned and Things Worth Mentioning: 

  1. Kali, while tremendously capable, is not an all-in-one package. When running into situations where I want to solve a specific problem and Kali doesn’t have a relevant tool, I always try to track one down. ExifTool is a perfect example of this in action. It’s nice when that effort pays off in subsequent situations.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s