Hacking OWASP’s Juice Shop Pt. 27: Reset Jim’s Password

Challenge:

Name: Reset Jim’s Password

Description: Reset Jim’s password via the Forgot Password mechanism with the original answer to his security question.

Difficulty: 3 star

Category: Broken Authentication

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology:

Occasionally I get egg on my face. This is one such challenge. In the Login Jim challenge, it was revealed that Jim’s password is “ncc-1701”. If I’d spent 10 seconds googling that password I would have saved myself quite a bit of work. Anyway, here’s how I actually approached the problem.

First, as many things in this app have something to do with Futurama, I checked the list of Futurama voice actors for a “Jim”.

No luck. Next I searched for famous Jims, looked through their Wikipedia pages for sibling names and added them to a wordlist. I failed to consider that “James” is synonymous with “Jim”.

celebrities named jim
Q All Images News Shopping
About 14,000,000 results (1.07 seconds)
• Jim Belushi (born 1954), American actor.
@ Videos
More
• Jim Brown (born 1936), American professional football player.
• Jim Bridwell (1944-2018), American rock climber.
• Jim Broadbent (born 1949), English actor.
• Jim J..
• Jim Caldwell (born 1955), American football coach.
• Jim Carrey (born 1962), Canadian-American actor.
More items...
en.wikipedia.org wiki Jim_(given_name)
Jim (given name) - Wikipedia

Then, as I’ve done repeatedly, I threw the wordlist into Burp’s Intruder for a Sniper attack.

Dashboard
Target
Target
Proxy
Payloads
ntru
Options
Repeater
Sequencer
Decoder
Comparer
Extender
Project options
User options
? Payload Positions
Configure the positions where payloads will be inserted into the base request The attacktype determines the way in which payloads are
Attack type Sniper
POST / rest/ user/ reset -password
Host: local host 3000
H-rrp/l.l
User-Agent: MoziIIa/S.O (X
11; Linux x86 64;
application/ j son, text/ plain,
Accept
Accept -Language: en-lJS, en; q=O.S
Accept -Encoding: gzip, deflate
Content -Type: application/ j son
Content -Length: 80
Origin: http
// I Ocal host 3000
Connection: close
Referer: http://localhost : 3000/
rv.78.o)
Gecko,'20100101 Firefox,'78.o
12
14
Cookle: language=en; welcomebanner status=dismiss;
cookieconsent status=dismiss,
continueCode=
LQhrtws4UYH7ujh8TIFNfkiafJQuKKhv1fersj mU81u1m1nvUo',NHYZfzwUnRtk6czxT8qfm7fjns1R; io=HVeHsfutUxUSPZNyAAAD
email
"jim@juice-sh.op ,
answer'
'SJohnS
" "test 1234"}
'new" "test1234" ,
repeat

I nt ruder attac k 2
Attack Save Columns
Target
Positions
Filter: Showing all items
Payload
Marian
Patricia
pete
Tom
Ann
A my
Payloads
Options
Status
Error
o
o
o
o
o
o
o
o
o
Timeout
o
o
o
o
o
o
o
o
o
Length
452
452
452
452
452
452
452
452
452
Comment

This yielded nothing, so I scraped the US Social Security Administration’s “Most popular names of the 19×0’s” and processed that information using a Python script to create a larger wordlist ranging from the 1950’s to the 1990’s.

filepath
"C : . txt "
inputs
names =
- with open (filepath) as fp:
for line in fp:
inputs =
line. split( ' it')
names . add (inputs )
dd(inputsC3))
names . a
for name in names:
print (name)
with open(filepath) as fp
Leetcode k
Beverly
Curtis
Adam
Ja ime
Shawn
mea yne
Christina
Kath lee n
Kathy
Julian
Alisha
Carl
Austin
for line in fp

Still nothing. So I started digging around the site trying to find out more about Jim. After an embarrassingly long time, I stumbled upon the reviews. What I found most interesting about the reviews is that they do not appear in the site’s database. They are a separate entity entirely, so they must be searched individually.

Green Smoothie
Looks poisonous but is
actually very good for your
health! Made from green
cabbage, spinach, kiwi and
grass.
1.99Ä
Reviews (1)
jim@juice-sh.op
Fresh out of a replicator.
Write a review
Review
What did you like or dislike? — _{Replicator? Sounds like Star Trek.}

Sticker
Die-cut holographic sticker.
Stand out from those 08/15-
sticker-covered laptops with
this shiny beacon of 80's
coolness!
Reviews (3)
mc.safesearch@juice-sh.op
Rad, dude!
jim@juice-sh.op
Looks spacy on Bones' new tricorder! 16
bender@juice-sh.op
Will put one on the Planet Express ship's bumpe
r! — _Tricorder?

OWASP Juice
Shop-CTF Velcro
Patch
4x3.5" embroidered patch with
velcro backside. The ultimate
decal for every tactical bag or
backpack!
2.92Ä
Reviews (2)
mc.safesearch@juice-sh.op
This thang would look phat on Bobby's jacked fu
r coat!
jim@juice-sh.op
Looks so much better on my uniform than the bo
ring Starfleet symbol.

STARFLEET! Of course!

Depiction I edit]
James Tiberius Kirk was born in Riverside, Iowa, on March 22, where ne was raised by nis parents, George and
Winona Kirk. [21 Although born on Earth, Kirk lived for a time on Tarsus IV, where ne was one ot nine surviving witnesses
to the massacre ot 4,000 colonists by Kodos the Executioner. James Kirk's brother, George Samuel Kirk, is first
mentioned in '"What Are Little Girls Made Of?" and introduced and killed in "Operation: Annihilate'", leaving behind three

Despite “George” being highlighted here, the answer is actually Samuel.

You successfully solved a challenge: Reset Jim's Password (Reset Jim's password via the Forgot Password mechanism with the original answer to his security question.) X

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning:

For all of my talk about how previously gathered data is a timesaver, I failed to take that into account in this instance. I should have been more attentive to that detail. I could blame it on not being a Trekkie, but that’s a cop out. I should’ve searched “ncc-1701” the first time I saw it.

Curiosity Kills Colby

Northwestern Misadventures

Hacking OWASP’s Juice Shop Pt. 27: Reset Jim’s Password

Leave a Reply Cancel reply

Share this:

Like this:

Related

Leave a Reply Cancel reply