Challenge:
Name: Visual Geo Stalking
Description: Determine the answer to Emma’s security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.
Difficulty: 2 star
Category: Sensitive Data Exposure
Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html
Tools used:
GIMP
Resources used:
None.
Methodology:
To know what we’re looking for, first we should visit the “Forgot Password” page and find out what Emma’s security question is by entering her email address into the appropriate box.
We appear to be looking for a business name. Next we need to find the photo in question. After navigating to the Photo Wall, the first thing to do is figure out which photo belongs to Emma. Three of the images belong to Bjoern, and one to John. That leaves the image of a building with the caption “My old workplace… (© E=ma²)” which is close enough to “Emma” that, coupled with knowing who took all of the other photos, we should focus on it. Save it to your system and let’s get started!
Using the GNU Image Manipulation Program (GIMP), open the photo and examine it very carefully for anything which might give away the name. I promise the answer is there if you look hard enough.
Seriously. Keep looking. Try harder.
STOP SCROLLING
OK, here’s the answer.
That looks an awful lot like “ITsec”, doesn’t it? Let’s give it a shot!
Prevention and mitigation strategies:
When posting photos, don’t reveal sensitive information to the masses. For instance, if you’re using your father’s middle name as a security question, don’t take a photo of his mail.
Lessons Learned and Things Worth Mentioning:
- Take the time to gather as much data as possible. Had I not known that this sign was here (from past tinkering with Juice Shop), I’d have passed right by it. In the future I will be more patient and thorough
Curiosity Kills Colby 