Hacking OWASP’s Juice Shop Pt. 26: Login Jim


Name: Login Jim

Description: Log in with Jim’s user account.

Difficulty: 3 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp, FoxyProxy, hashcat

Resources used:

Database Schema


My methodology for solving this challenge differs greatly from the norm, in that usually I would read the expanded description, try to find what the Forgotten Password hit was, then solve the challenge by resetting his password.

Forgot Password 
Security Question 
Your eldest siblings middle name? 
Please provide an ansner to your security question. 
New Password 
O Password must be 5-20 characters long. 
Repeat New Password 
Show password advice 

In this case, however, I had harvested his password hash (along with all others) in the Database Schema challenge. Having that MD5 hash in my possession, I simply ran it through hashcat and entered the cracked password: ncc-1701.

Approaching final keyspace - workload adjusted.
For such an insecure web application, only three cracked hashes is remarkable.
You successfully solved a challenge: Login Jim (Log in with Jim's user account.) X

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet 

Lessons Learned and Things Worth Mentioning: 

  1. I should have looked up what NCC-1701 meant. It would have saved me time down the road.
  2. Once again, extra data collected in earlier challenges saved me time and effort.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s