Challenge 1:
Name: Upload Size
Description: Upload a file larger than 100 kB.
Difficulty: 3 star
Category: Improper Input Validation
Challenge 2:
Name: Upload Type
Description: Upload a file that has no .pdf or .zip extension.
Difficulty: 3 star
Category: Improper Input Validation
Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html
Tools used:
Burp, FoxyProxy, Mousepad
Resources used:
None.
Methodology:
While the number of images in this walkthrough might suggest that this was a difficult challenge, in reality it was mostly just tedious. The first thing I did was log in (I used the admin account, but any account would work) and test out the Complaint form’s parameters. It would only allow two file types: PDF and ZIP. That’s easy enough to circumvent. Simply renaming a text file “filename.txt.zip” is enough to fool this form, but there’s also a 100kb limit involved.
This file is clearly above that limit, so after copying the original to a safe location where it wouldn’t be at risk of destruction if I were to make a mistake, I opened the text file, created a second text file in another tab, and copied over the majority of “db_contents.txt” to that temporary file.
![•Untitled 2 - Mousepad
File Edit Search
db_contents.txt
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
2020-11-02
21
2020-11-02
21 :ø6.
2020-11-02
21:06.
1.99
2020-11-02
21
2.99
2020-11-02
: 00
8.99
2020-11-02
21
4.99
2020-11-02
21
2.99
2020-11-02
21
1.99
2020-11-02
21
: 00
2020-11-02
21
View Document
Untitled 2
Help
9
15
1
11
3
4
12
13
14
5
17
19
18
8
7
6
16
10
Table:
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
admin
customer
customer
admin
deluxe
admin
customer
customer
admin
admin
customer
admin
deluxe
customer
accounting
customer
customer
customer
customer
J129340juice-sh.op
accountantajuice-sh . op
admi najuice-sh . op
amyojuice-sh . op
benderajuice-sh . op
bjoern . kimminichagmail
. com
bjoernöjuice-sh . op
bjoernö)owasp.org
chris . pikeajuice-sh. op
cisoajuice-sh . op
demo
emmaajuice-sh . op
jimjjuice-sh.op
johnöjuice-sh . op
mc . safesearchajuice-sh. op
mortyajuice-sh . op
supportajuice-sh . op
uvoginö)juice-sh . op
wurstbrotajuice-sh . op
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
0192023a7bbd73250516f069df18b5øø
e541coecf72b8d1286474fc613e5e45
øc36e517e3fa95aabf1bbffc6744a4ef
6edd9d726cbdc873c53ge41ae8757b8c
861917d5fa5f1172f931dc700d81a8fb
d57386e761071øøa7d6c2782978b2e7b
f2f933d0bb0baø57bc8e33b8ebd6d9e8
b03f4b0ba8b458faøacdcø2cdb953bc8
3c2abc04e4a6ea8f1327døaae3714b7d
gad5bø492bbe528583e128d2a8941de4
030f05e45e3071øc3ad3c32f00deø473
7f311911af16fa8f418dd1a3051d6810
9283f1b2e9669749081963beø462e466
1øa783bged1gea1c67c3ü7699f0095b
963e10f92a70b4b46322øcb4c5d636dc
05f92148b4b60f7dacd04cceebb8f1af
fe01ce2üfbac8fafaed7c982aø4e229
øø479e957b6b42c459ee5746478e4d45
402f1c4a75e316afec%6ea63147f739
image
apple_juice. jpg
orange_juice. jpg
eggfrui t_juice. jpg
raspberry_juice. jpg
lemon_juice. jpg
banana_juice. jpg
fan _ shirt . jpg
bkimminich
wurstbrot
jøhNny
E-ma
price
22.49
+00
+00
+00
+00
+00
+00
+00
+00
+00
+00
+00
+00
+00
+00
+00
:06.594
.06.594
.06.594
Products
[41 entries]
I id | 255 | name
createdAt
1
3
4
5
6
7
255
255
255
255
255
255
255
Apple Juice (løøøml)
Orange Juice (løøøml)
Eggfruit Juice (5øøml)
Raspberry Juice (løøøml)
Lemon Juice (5øøml)
Banana Juice (løøøml)
OWASP Juice Shop T-Shirt](https://curiositykillscolby.files.wordpress.com/2020/11/image-112.jpeg?w=1024)
![db_contents.txt x
Table: sqlite_sequence
[18 entries]
seq I name
CIPtitled2
14
19
18
6
6
8
100
41
5
8
1
9
41
19
3
5
SecurityQuestions
Users
SecurityAnswers
Addresses
Cards
Feedbacks
Challenges
Products
Baskets
Basketltems
Complaints
Recycles
Quantities
purchaseQuantities
Wallets
Deliveries
Memories
Captchas](https://curiositykillscolby.files.wordpress.com/2020/11/image-115.jpeg?w=523)
After saving db_contents.txt as a ZIP archive and ensuring that the contents of that file were below the 100KB threshold, I set up Burp to intercept the packet and submitted it via the Complaint form.
![Dashboard Target
Intruder Repeater
Sequencer
Decoder
Comparer
Exter
HIT P history WebSockets
history Options
Request to http://localhost:3000
[127001]
Intercept iso
Forward
Params
P retty
Drop
Headers
Actions
Action
Open Browser
"SON web Tokens
\n
Referer: http://localhost : 3000/
IS Cookie: language=en; welcomebanner status=dismiss;
cookieconsent status=dismiss.
n Qhpt vhan FLfosoixf3S6buLLhsqfbXSZnUELumL18Ys9bUXYH8j C6j snsfovul Xt VSC•
eyJoeXAioiJKVIQiLCJhbGcioiJsuz11NiJ9. eyJzdGFodXMioiJzdh'Nj ZXNz1iwi
11 MDUxNmYwNj 1 kzj E-4Yj WMC1s1nJvbGUioiJhZG1pbi1s1mR1 bHV4ZVRva2Vu1j oiliwibGFzdExvz:
szn1iwidG90cFN1 dc161i1s1m1 z%NoaXZ1 Ij pocnvl LCJj cm vhdGVkQXQi oily MDIwLTExLTA1:
dGVkQXQi oj E2MDQ10TgxNj kslm E20X0 DsDnF78zsoee
TkwysbM6Q8MPw1 mimgp Vmot_u9Ucn0AxC6bE4Xe8Lxaaqf120nHg
- 217611818013985740571153189403
16 Content -Disposition: form-data;
contents.txt
17 Content -Type: application/ zip
19 Table: sqlite_sequence
[18 entries]
. zlp
seq
41
41
name
SecurityQuestions
Users
SecurityAnswers
Addresses
Ca rds
Feedbacks
Chall enges
Products
Baskets
Basket It ems
Compl aints
Recycles
Quantities
PurchaseQuantities
"all ets
Deliveries
Memories
Capt chas
- 217611818013985740571153189403](https://curiositykillscolby.files.wordpress.com/2020/11/image-110.jpeg?w=578)
Now it was just a case of adding back the original contents of db_contents.txt to the packet and eliminating the .zip file suffix.
![Burp Project Intruder Repeater Window
+00 • oo
00: oo
00 • oo
Dashboard Target
Intruder
Help Logger++ HIT P Request Smuggler
Sequencer Decoder
Repeater
Comparer
Extender
HIT P history WebSockets
Request to http://localhost:3000
Forward
aw Params
Pretty
Drop
Headers
Actions v
history Options
[127 001]
nterceptis on
ISON web Tokens
Action
Open Browser
- 217611818013985740571153189403
16 Content -Disposition: form-data;
17 Content -Type: application/ zip
19 Table: sqlite_sequence
[18 entries]
seq name
24 Table: Users
contents.txt'
[19 entries]
id 1 255
profilelmage
role
admin
updatedAt
J12934@j uice-sh op
2020-11-02 21 06: 06. 591
isActive
totpSecret
assets/ public/ images/ uploads/ default . svg
I 255 customer
accountant@j uice-sh.op
2020
-11-02 21 : 06: 06. 591
assets/ public/ images/ uploads/ default . svg
admin@j uice-sh.op
I 255 customer
2020
-11-02 21 : 06: 06. 591
assets/ public/ images/ uploads/ default . svg
admin
amy@j uice-sh.op
2020-11-
02 21 06: 06. 592
assets/ public/ images/ uploads/ default . svg
255 deluxe
bender@j uice-sh.op
2020-11-02 21 : 06:06
assets/ public/ images/ uploads/ default . svg
592
admin
bjoern.kimminich@gmail
2020
-02 21 06: 06. 592
com
lank >
lank >
lank >
ank>
lank >
ank>
assets/ public/ images/ uploads/ default . svg
255 customer
bjoern@juice-sh.op
Search
password
0192023a 7b bd7±
es41ca7ecf72bE
oc36eS17e3fa9f
6edd9d726cbdcE
861917dsfasf11
761071 c
f2f933dobbobac](https://curiositykillscolby.files.wordpress.com/2020/11/image-111.jpeg?w=612)
Then hitting “Forward”.
Prevention and Mitigation Strategies:
Lessons Learned and Things Worth Mentioning:
The first time I ever attended a CTF event, the very first flag I ever captured was simply because I knew enough to disregard filetype designators. Opening that .png as a text file gave me the flag, and I’ve never trusted filetypes since. The server here should have learned that lesson.
