Pwning OWASP’s Juice Shop Pt. 15: Meta Geo Stalking + Weird Crypto

Challenge 1: 

Name: Meta Geo Stalking

Description: Determine the answer to John’s security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.

Difficulty: 2 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Challenge 2: 

Name:  Weird Crypto

Description: Inform the shop about an algorithm or library it should definitely not use the way it does.

Difficulty: 2 star

Category: Cryptographic Issues

Expanded Description: https://pwning.owasp-juice.shop/part2/cryptographic-issues.html

Tools used:

Burp, FoxyProxy, ExifTool

Resources used:

Google Maps Support

Hash Analyzer

CrackStation Password Hash Cracker

Methodology: 

Before going to the photo wall, it’s important to know what we’re looking for, so open the “Forgot Password” link and enter John’s email address (which we collected in the “Admin Section” challenge. Alternatively, guess his email address).

Forgot Password 
Email 
john@juice-sh.op 
Security Question 
What's your favorite place to go hiking? 
Please provide an ansner to your security question. 
New Password 
O Password must be 5-20 characters long. 
Repeat New Password 
Show password advice 
Change 
o 
o 
0/20 
0/20

Hiking, eh? OK. Let’s check the Photo Wall. There’s only one photo of a trail, but to be safe it’s a good idea to check the caption: “I love going hiking here… (© j0hNny)”. This certainly appears to be the right photo, so save it to your system and let’s check out the metadata. ExifTool is a fantastic tool for this type of thing.

I love going hiking here… (© j0hNny)
total 6780 
drwxr-xr-x 
drwxr-xr-x 
-rw-r--r-- 
-rw-r--r-- 
Colbyakali :—/pictures$ Is 
2 Colby Colby 
34 colby colby 
1 Colby Colby 
4096 NOV 
4096 NOV 
666735 NOV 
1 colby colby 6264316 oct 
1 
1 
1 
27 
16:43 
12 
16:43 favorite-hiking-place.png 
21:51 juice.png 
Colbyakali :-/pictures$ exiftool favorite-hiking-place.png 
ExifTool Version Number 
File Name 
Directory 
File 
File 
File 
File 
File 
File 
File 
MIME 
Size 
Modification Date/Time 
Access Date/Time 
Inode Change Date/Time 
permissions 
Type 
Type Extension 
Type 
: 12.08 
: favorite-hiking-place.png 
: 651 kB 
. 16:43 
. rw-r--r 
. PNG 
. png 
Image Width 
Image Height 
Bit Depth 
Color Type 
Compression 
Fil ter 
Interlace 
Exif Byte Order 
Resolution Unit 
Y Cb Cr positioning 
GPS version ID 
GPS Latitude Ref 
GPS Longitude Ref 
GPS Map Datum 
Thumbnail Offset 
Thumbnail Length 
. image/png 
: 471 
: 627 
RGB 
. Deflate/ Inflate 
• Adaptive 
. Noninterlaced 
: Little-endian (Intel, 
11) 
SRGB Rendering 
pixels Per Unit 
pixels Per Unit 
pixel Units 
Image Size 
Megapixels 
Thumbnail Image 
act) 
GPS Latitude 
GPS Longitude 
GPS position 
x 
. inches 
: Centered 
. 2.2.ø.ø 
. North 
: West 
: WGS-84 
. 224 
: 4531 
. Perceptual 
: 2.2 
: 3779 
: 3779 
: meters 
: 471X627 
: 0.295 
: (Binary data 4531 
bytes, use 
-b option to extr 
: 36 deg 57' 
: 84 deg 20' 
: 36 deg 57' 
31.38" 
53.58" 
31.38" 
w 
N, 
84 deg 20' 
53.58" 
w

Fortunately Johnny isn’t savvy enough to strip exif data from his photos, so after looking up how Google Maps wants coordinates to be formatted, format the string and search.

*For a complicated set of reasons, other recommended formats may place the location in an entirely different area, so use “36°57’31.38″ N 84°20’53.58″ W”

3605781.38' N 84020'53.58" W 
3605731.4"N 8402053.6"W 
36.958717, -84.348217 
Directions 
Save 
Nearby 
Send to your 
phone 
Share 
Scuttlehole Trailhead 
D 
London, KY 40744 
XM52+FP sawyer, Kentucky 
Add a missing place 
Add your business 
Add a label

Be aware that you’re not just looking for candidate locations simply in the immediate area, so be sure to zoom out and gather more information about the general area.

3605781.38' N 8402053.58" W 
3605731.4"N 84020153.6"W 
36.958717, -84.348217 
Share 
Meece 
Poplarville 
valley 
Beaver Creek 
Wildlife 
Management 
Area 
Mt Victory 
Daniel Boone 
National Forest 
Directions 
Save 
Nearby 
Send to your 
phone 
D 
London, KY 40744 
XM52+FP sawyer, Kentucky 
Add a missing place 
Add your business 
Add a label 
Sawyer

Now that we have enough information to build a list of potential locations, go ahead and do that.

Kentucky 
Sawyer 
Daniel Boone 
Daniel Boone National Forest 
Scuttlebutt 
Scuttlebutt Trail

At this point, the obvious tool to use would be Burp’s Intruder, but for the sake of variety I’m going to use Repeater.

Dashboard 
Send 
Request 
rv•78 
Target 
Intruder 
Sequencer 
Decoder 
Comparer 
Extender 
Project options 
Response 
User options 
"SON web Tokens 
Logger 
Params 
Headers 
Actions v 
Pretty 
Raw 
I / rest/ user/ reset -password HIT P/ 1.1 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
o) 
Gecko,'20100101 
Firefox/78 
Headers 
Raw Render 
Actions y 
HTTP/I.1 401 unauthorized 
Access-Cont rol -Allow-Origin: 
X-Content -Type-options: nosniff 
X-Frame-options: SAMEORIGIN 
Feature-policy: payment 
self' 
-RateLimit -Limit: 10 
-Remaining: 99 
Date: sun, 01 Nov 2020 21 Gl•rr 
-Ratel_imit -Reset: 1604267787 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
7 Content -Type: application/ j son 
Content -Length: 
Origin: http 
// I Ocal host 3000 
10 Connection: close 
Referer: http://localhost : 3000/ 
12 Cookle: language=en; welcomebanner 
email " "john@j uice-sh.op' , 
'Kentucky 
answer' 
'new" "test12S4" , 
repeat 
" "test 1234" 
status=dismiss, 
cookieconsent 
status=dismiss, 
Content -Type: text 'html; charset=utf-8 
Content -Length: 
a-rag: n,' '22-pKf21LHLRtt7tz87uofxryoVl_/s 
con 
Vary: Accept -Encoding 
Connection: close 
14 
16%rong answer to security question.

After only a few failed attempts, the correct answer returns an abundance of user information.

Dashboard 
Request 
rv•78 
Target 
Intruder 
epeater 
Sequencer 
Decoder 
Comparer 
Extender 
Project options 
User options 
ISON web Tokens 
_Actions 
Logger++ 
Target: http://localh• 
Params 
Headers 
Pretty 
Raw 
Actions V 
Response 
Headers 
Render 
Pretty 
Raw 
200 0K 
POST / rest/ user/ reset -password HIT P/ 1.1 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, I/ * 
Accept 
Accept -Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
Content -Type: application/ j son 
Content -Length: IOS 
Origin: http://localhost : 3000 
Connection: close 
Referer: http://localhost : 3000/ 
Cookle: language=en; welcomebanner status=dismiss, 
o) 
Gecko,'20100101 
Firefox/78 
Access-Cont rol -Allow-Origin: 1 
X-Content -Type-options: nosniff 
zVX-Frame-options: SAMEORIGIN 
Feature-policy: payment 
self' 
-RateLimit -Limit: 10 
-RateLimit -Remaining: 98 
Date: sun, 01 Nov 2020 21 GI•TT 
x-RateLimit -Reset: 1604268087 
12 
14 
cookieconsent 
status=dismiss, 
email " "john@j uice-sh.op" , 
'Daniel Boone 
National 
answer' 
'new" "test12S4" , 
repeat 
" "test 1234" 
Fores 
Il 
con 
14 
16 
Content -Type: application/ j son; charset=utf- 
Content -Length: 
ass 
a-rag: A,' 163-DcdDnQccDUEqEnizq8ukJAzotT4" 
Vary: Accept -Encoding 
Connection: close 
"id" : 18, 
" "j OhNny 
'username 
email " "john@j uice-sh.op' , 
password 
" "16d7a4fca7442dda3ad9sc9a726S97e4" , 
role 
'customer' , 
'deluxeToken' 
"last Loginlp 
'0.0.0.0', 
profilelmage 
'assets/ public/ images/ uploads/ default. 
"totpSecret' 
"isActive" :true, 
svg , 
createdAt' 
'updatedAt " 
'deletedAt' 
2020-11-OIT17: 31 26 629Z" , 
2020-11-OIT21 56: 962Z" , 
:null
You successfully solved a challenge: Meta Geo Stalking (Determine the answer to John's security question by looking 
at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.) 
x

At this point, the Meta Geo Stalking challenge is complete. There is, however, one piece of very useful information in the response packet: the password hash. It would be the height of foolishness to neglect that hash, as there are tools available to analyze it and tell you what hashing algorithm is in use.

Hash Analyzer 
Tool to identify hash types. Enter a hash to be identified. 
16d7a4fca7442dda3ad93c9a726597e4 
Analyze 
Hash: 
Hash type: 
Bit length: 
Character length: 
Character type: 
16d7a4fca7442dda3ad93c9a726597e4 
Not Found 
MDS or MD4 
128 
32 
hexidecimal

Unsalted MD4 and MD5 hashes are barely speedbumps to cracking passwords at this point in time, and should never be used. But we still have two options (MD4 or MD5), and I’d like to know if the server is responding with John’s new password or his old one, so to save time and effort we can use an online password hash cracker. While hashcat and JohnTheRipper are useful tools, they are more labor intensive than is necessary for one hash. Work smarter, not harder.

CrackSt7tiön 
Defuse.ca • 
ckStation Password Hashing Security 
Defuse Security 
Free Password Hash Cracker 
Enter up to 20 non-salted hashes, one per line: 
16d7a4fca7442dda3ad93cga726597e4 
I'm not a robot 
recAPTCHA 
Crack Hashes 
Supports: LM, NTLM. md2, md4, md5, mos-half, shal, sha224, sha2S6, sha384, sha512. ripeMD160, whirlpool, MySQL QubesV3.13ackupDefauIts 
Hash 
d7a4fca7442dda3ad93C%726597e4 
Type 
Result

With such an outdated encryption algorithm in use, now is a good time to inform the shop of their vulnerability and pass the “Weird Crypto” challenge by submitting a customer feedback form containing the algorithm’s name.

Customer Feedback 
Author - 
Comment 
md5 
O Max. 160 characters 
3/160 
Rating 
CAPTCHA: 
What is 
Submit
You successfully solved a challenge: Weird Crypto (Inform the shop about an algorithm or library it should definitely not use the way it does.) X

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet – Meta Geo Stalking

OWASP Mitigation Cheat Sheet – Weird Crypto

  1. Strip EXIF data from your photos before posting them publicly. Most social media companies do this automatically, but it is not safe to assume that every site follows that best practice. If you’re working on a website which interacts with user media, strip unnecessary information from it before placing it somewhere your users can access it.
  2. Use modern, up-to-date hashing algorithms. Passwords stored as md5 hashes are responsible for some of the biggest hacks in the last decade.

Lessons Learned and Things Worth Mentioning: 

  1. Kali, while tremendously capable, is not an all-in-one package. When running into situations where I want to solve a specific problem and Kali doesn’t have a relevant tool, I always try to track one down. ExifTool is a perfect example of this in action. It’s nice when that effort pays off in subsequent situations.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s