Challenge: 

Name: Login Amy

Description: Log in with Amy’s original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the “One Important Final Note”)

Difficulty: 3 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

As usual, my first stop is the expanded description. In that description, a bullet point states that “The challenge description, in addition to an image of Amy and Kif, contains a few sentences which give away some information how Amy decided to strengthen her password.”. Only two phrases in the challenge description stood out as unique: “93.83 billion trillion trillion centuries”, and “one important final note”. So I started by googling what I assumed would be the less common of the two.

That top link looks curiously relevant to this challenge, so I opened it up and scrolled through until I came across the second unique phrase:

Since the expanded description also stated that “Amy – being a little dimwitted – did not put nearly enough effort and creativity into the password selection process”, I knew she had used the same number of periods after her password. Then, based on the image in the expanded description, I worked out that Kif must have been the name she used for her password (with numbers instead of vowels thanks to MS SafeSearch).

Prevention and Mitigation Strategies:

Take password security seriously. If you absolutely must share your passwords with someone else (spouse, shifty stranger, etc), then do not send it SMS, Email, or any other electronic medium without first encrypting the file. Generating and using an RSA key pair is a pain (not to mention getting the other person to do it), but it beats having your identity stolen.

Use unique passwords for every account you have. When I took my first security course a year ago I was one of those people who reused a few passwords over and over. Today I carry a cipher with me everywhere I go (qwertycards.com has credit card-sized unique ciphers for $5), and to keep myself from forgetting any of the dozen different password character restrictions I’ve encountered, I store all of my passwords in a password manager.

Password managers aren’t 100% secure (nothing is), either. But someone has to seriously want your passwords to use tools like KeeFarce, for KeePass2.x, successfully.

Lessons Learned and Things Worth Mentioning: 

Google is a fantastic resource when it comes to OSINT data collection and research. Learning how to craft more effective queries is tremendously helpful for separating noise from signal, sometimes regular old queries work.