Name: Login Support Team
Description: Log in with the support team’s original user credentials without applying SQL Injection or any other bypass.
Difficulty: 6 star
Category: Security Misconfiguration
Expanded Description: https://pwning.owasp-juice.shop/part2/security-misconfiguration.html
Keepass2, keepass2john, johntheripper
This challenge was completed out of order. I’ve been going sequentially by the star ratings thus far, but the .kdbx file I downloaded during my Poison Null Byte data acquisition spree taunted me every time I opened up my Juice Shop folder, so I decided to solve this challenge, I just wanted to move that file from the “Active Challenges” folder to the “Completed Challenges” folder.
To start, visit the FTP page and, using the Poison Null Byte trick, steal the file named “incident-support.kdbx”.
Now that we have the KeePass2 file, it’s time to crack the master password. Translating the file into a format we can hit with johntheripper is easy, as there’s a tool specifically written to accomplish that task.
Then it’s just a matter of applying johntheripper and RockYou to crack the password
Ugh. Unicode. OK, whatever. 6 star challenges ain’t sh*t.
… but no login occurred. Time to start looking at the code to see what secrets it holds.
What on earth is a Caoimhe?
Irish girls. My old nemeses.
But what Irish girl is on Juice Shop? Admittedly, this is where the Solutions Guide came in handy. It turns out that in the carousel of photos in the “About Us” tab, a lone redhead’s image appears.
After finding where that image was stored using Inspect Element and downloading it, I then tried to use it as the key file for the incident-support.kdbx file.
Thankfully KeePass2 lets you double click on passwords to copy them, rather than making me type out that whole string.
Prevention and Mitigation Strategies:
Lessons Learned and Things Worth Mentioning:
- In hindsight only, I adore problems that grab my attention and don’t let go. For whatever reason, I saw the KeePass2 .kdbx file and just couldn’t stay away from this challenge. I immediately decided I wanted to know how hard it would be to break into that file. Now I know, and feel much better about my password manager. Without getting the master password or key file via KeeFarce, this was a real hassle in the best possible way.
- I don’t particularly like using the Solutions Guide as a crutch, but like I said in the first post, this is about learning more than demonstration of mastery. I’m a solid 3.5-4 star challenge hacker, and for having never even used nmap or Burp Suite four months ago that isn’t nothing.