Information Security

Hacking OWASP’s Juice Shop Pt. 41: Login Support Team

Posted on by codeblue04

Challenge: 

Name: Login Support Team

Description: Log in with the support team’s original user credentials without applying SQL Injection or any other bypass.

Difficulty: 6 star

Category: Security Misconfiguration

Expanded Description: https://pwning.owasp-juice.shop/part2/security-misconfiguration.html

Tools used:

Keepass2, keepass2john, johntheripper

Resources used:

https://tzusec.com/tag/keepass2john/

Poison Null Byte

Methodology: 

This challenge was completed out of order. I’ve been going sequentially by the star ratings thus far, but the .kdbx file I downloaded during my Poison Null Byte data acquisition spree taunted me every time I opened up my Juice Shop folder, so I decided to solve this challenge, I just wanted to move that file from the “Active Challenges” folder to the “Completed Challenges” folder.

To start, visit the FTP page and, using the Poison Null Byte trick, steal the file named “incident-support.kdbx”.

—l ftp D quarantine n coupons _ 2013. md.bak n incident-support. kdbx suspicious errors.yml acquisitions.md n eastere.gg legal-md announcement_encrypted. md n encrypt.pyc n package.json .bak
Request R w Params Headers ISON web Tokens GET Host Actions ftp/incident-support . kdbx%2SOO.md HIT P/ 1.1 local host 3000

Now that we have the KeePass2 file, it’s time to crack the master password. Translating the file into a format we can hit with johntheripper is easy, as there’s a tool specifically written to accomplish that task.

Then it’s just a matter of applying johntheripper and RockYou to crack the password

ColbyökaU:-/Down10ads$ john --wordlist=/home/colby/tools/wordlists/rockyou.txt /home/Colby/Hack/Juice\ Shop/support. txt Created directory: /home/colby/. john Jsing default input encoding: UTF-8 Loaded 1 password hash (Keepass [SHA256 AES 32/64]) Cost 1 (iteration count) is 1 for all loaded hashes Cost 2 (version) is 2 for all loaded hashes Cost 3 (algorithm [ø=AES, 1=TwoFish, 2=ChaCha]) is for all loaded hashes Nitt run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status og DONE (2020-11-16 13:30) øg/s 1644Kp/s 1644KC/s 1644KC/s ..*7 i Vamos ! Session completed Col byokal i : —/Down10ads$

Ugh. Unicode. OK, whatever. 6 star challenges ain’t sh*t.

Login Email support@juice-sh.op Password Forgot your password? Log in C] Remember me G Log in with Google Not yet a customer?

… but no login occurred. Time to start looking at the code to see what secrets it holds.

hi s. router. navigate( [ " /2fa/enter" J)) ; . emailcontrol .markAspristine( ) , this. passwordControl. markAspristine( ) 'ice. isLoggedIn.next( ! 1), console.log( "aechipa de suport: Secretul nostru comun este Caoimhe cu parola de master gol!"

While searching the main JavaScript file in search of “support”, this peculiar string appears.

translate to english de suport: Secretul nostru comun este Ixeenc\u0103 Caoimhe X Q Q All @ Videos @ News About 8 results (0.77 seconds) Romanian - detected de suport: Secretul nostru comun este \xeenc\u0103 Caoimhe cu parola de master gol! Open in Google Translate Images Shopping More Settings Tools English Support: Our common secret is \ xeenc \ u0103 Caoimhe with the empty master password! Feedback

What on earth is a Caoimhe?

Caoimhe From Wikipedia, the free encyclopedia Caoimhe K(W)EE-va; Irish: ['ki:vja]), anglicised Kiva, Queeva in the Republic of Ireland or Keeva in Northern Ireland, is an Irish feminine given name derived from Irish caomh (Old Irish cöem) "dear; noble" from the same root as the masculine name Caoimhin (Kevin). As of 2014, it was ranked 19th most popular name among female births in Ireland.[21

Irish girls. My old nemeses.

But what Irish girl is on Juice Shop? Admittedly, this is where the Solutions Guide came in handy. It turns out that in the carousel of photos in the “About Us” tab, a lone redhead’s image appears.

Image Mag ick: 6.jpg

After finding where that image was stored using Inspect Element and downloading it, I then tried to use it as the key file for the incident-support.kdbx file.

incident-support.kdbx - Keepass File Group Entry Find View Tools Title prod Pin p dev Help User Name support@juice-s... incident-support a Recycle Bin General Windows Network Internet a eMail Homebanking Password URL juice-shop.hero... juice-shop-stagi... localhost:3000 Notes (The email domai... Group: incident-support, Title: prod, User Name: support@juice-sh.op, Password: URL: juice-shop.herokuapp.com, Creation Time: 12/5/2016 AM, Last Modification Time: 3/29/2017 2:47:55 AM (The email domain in the username might differ in customized installations of OWASP Juice Shop!) 1 of 3 selected Ready.

Viola!

Login Email support@juice-sh.op Passnord Forgot your password ? Log in Remember me G Log in with Google Not yet a customer?

Thankfully KeePass2 lets you double click on passwords to copy them, rather than making me type out that whole string.

You successfully solved a challenge: Login Support Team (Log in with the support team's original user credentials without applying SQL Injection or any other bypass.) X

Prevention and Mitigation Strategies:

OWASP Authentication Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

  1. In hindsight only, I adore problems that grab my attention and don’t let go. For whatever reason, I saw the KeePass2 .kdbx file and just couldn’t stay away from this challenge. I immediately decided I wanted to know how hard it would be to break into that file. Now I know, and feel much better about my password manager. Without getting the master password or key file via KeeFarce, this was a real hassle in the best possible way.
  2. I don’t particularly like using the Solutions Guide as a crutch, but like I said in the first post, this is about learning more than demonstration of mastery. I’m a solid 3.5-4 star challenge hacker, and for having never even used nmap or Burp Suite four months ago that isn’t nothing.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s