Hacking OWASP’s Juice Shop Pt. 27: Reset Jim’s Password

Challenge: 

Name: Reset Jim’s Password

Description: Reset Jim’s password via the Forgot Password mechanism with the original answer to his security question.

Difficulty: 3 star

Category: Broken Authentication

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

Occasionally I get egg on my face. This is one such challenge. In the Login Jim challenge, it was revealed that Jim’s password is “ncc-1701”. If I’d spent 10 seconds googling that password I would have saved myself quite a bit of work. Anyway, here’s how I actually approached the problem.

First, as many things in this app have something to do with Futurama, I checked the list of Futurama voice actors for a “Jim”.

No luck. Next I searched for famous Jims, looked through their Wikipedia pages for sibling names and added them to a wordlist. I failed to consider that “James” is synonymous with “Jim”.

celebrities named jim 
Q All Images News Shopping 
About 14,000,000 results (1.07 seconds) 
• Jim Belushi (born 1954), American actor. 
@ Videos 
More 
• Jim Brown (born 1936), American professional football player. 
• Jim Bridwell (1944-2018), American rock climber. 
• Jim Broadbent (born 1949), English actor. 
• Jim J.. 
• Jim Caldwell (born 1955), American football coach. 
• Jim Carrey (born 1962), Canadian-American actor. 
More items... 
en.wikipedia.org wiki Jim_(given_name) 
Jim (given name) - Wikipedia

Then, as I’ve done repeatedly, I threw the wordlist into Burp’s Intruder for a Sniper attack.

Dashboard 
Target 
Target 
Proxy 
Payloads 
ntru 
Options 
Repeater 
Sequencer 
Decoder 
Comparer 
Extender 
Project options 
User options 
? Payload Positions 
Configure the positions where payloads will be inserted into the base request The attacktype determines the way in which payloads are 
Attack type Sniper 
POST / rest/ user/ reset -password 
Host: local host 3000 
H-rrp/l.l 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
Accept 
Accept -Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
Content -Type: application/ j son 
Content -Length: 80 
Origin: http 
// I Ocal host 3000 
Connection: close 
Referer: http://localhost : 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
12 
14 
Cookle: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
continueCode= 
LQhrtws4UYH7ujh8TIFNfkiafJQuKKhv1fersj mU81u1m1nvUo',NHYZfzwUnRtk6czxT8qfm7fjns1R; io=HVeHsfutUxUSPZNyAAAD 
email 
"jim@juice-sh.op , 
answer' 
'SJohnS 
" "test 1234"} 
'new" "test1234" , 
repeat
I nt ruder attac k 2 
Attack Save Columns 
Target 
Positions 
Filter: Showing all items 
Payload 
Marian 
Patricia 
pete 
Tom 
Ann 
A my 
Payloads 
Options 
Status 
Error 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Timeout 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Length 
452 
452 
452 
452 
452 
452 
452 
452 
452 
Comment

This yielded nothing, so I scraped the US Social Security Administration’s “Most popular names of the 19×0’s” and processed that information using a Python script to create a larger wordlist ranging from the 1950’s to the 1990’s.

filepath 
"C : . txt " 
inputs 
names = 
- with open (filepath) as fp: 
for line in fp: 
inputs = 
line. split( ' it') 
names . add (inputs ) 
dd(inputsC3)) 
names . a 
for name in names: 
print (name) 
with open(filepath) as fp 
Leetcode k 
Beverly 
Curtis 
Adam 
Ja ime 
Shawn 
mea yne 
Christina 
Kath lee n 
Kathy 
Julian 
Alisha 
Carl 
Austin 
for line in fp

Still nothing. So I started digging around the site trying to find out more about Jim. After an embarrassingly long time, I stumbled upon the reviews. What I found most interesting about the reviews is that they do not appear in the site’s database. They are a separate entity entirely, so they must be searched individually.

Green Smoothie 
Looks poisonous but is 
actually very good for your 
health! Made from green 
cabbage, spinach, kiwi and 
grass. 
1.99Ä 
Reviews (1) 
jim@juice-sh.op 
Fresh out of a replicator. 
Write a review 
Review 
What did you like or dislike?
Replicator? Sounds like Star Trek.
Sticker 
Die-cut holographic sticker. 
Stand out from those 08/15- 
sticker-covered laptops with 
this shiny beacon of 80's 
coolness! 
Reviews (3) 
mc.safesearch@juice-sh.op 
Rad, dude! 
jim@juice-sh.op 
Looks spacy on Bones' new tricorder! 16 
bender@juice-sh.op 
Will put one on the Planet Express ship's bumpe 
r!
Tricorder?
OWASP Juice 
Shop-CTF Velcro 
Patch 
4x3.5" embroidered patch with 
velcro backside. The ultimate 
decal for every tactical bag or 
backpack! 
2.92Ä 
Reviews (2) 
mc.safesearch@juice-sh.op 
This thang would look phat on Bobby's jacked fu 
r coat! 
jim@juice-sh.op 
Looks so much better on my uniform than the bo 
ring Starfleet symbol.

STARFLEET! Of course!

Depiction I edit] 
James Tiberius Kirk was born in Riverside, Iowa, on March 22, where ne was raised by nis parents, George and 
Winona Kirk. [21 Although born on Earth, Kirk lived for a time on Tarsus IV, where ne was one ot nine surviving witnesses 
to the massacre ot 4,000 colonists by Kodos the Executioner. James Kirk's brother, George Samuel Kirk, is first 
mentioned in '"What Are Little Girls Made Of?" and introduced and killed in "Operation: Annihilate'", leaving behind three

Despite “George” being highlighted here, the answer is actually Samuel.

You successfully solved a challenge: Reset Jim's Password (Reset Jim's password via the Forgot Password mechanism with the original answer to his security question.) X

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

For all of my talk about how previously gathered data is a timesaver, I failed to take that into account in this instance. I should have been more attentive to that detail. I could blame it on not being a Trekkie, but that’s a cop out. I should’ve searched “ncc-1701” the first time I saw it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s