Information Security

Hacking OWASP’s Juice Shop Pt. 53: Reset Uvogin’s Password

Posted on by codeblue04

Challenge: 

Name: Reset Uvogin’s Password

Description: Reset Uvogin’s password via the Forgot Password mechanism with the original answer to his security question.

Difficulty: 4 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Tools used:

Sherlock, Wayback Machine

Resources used:

Solution Guide

Methodology: 

This challenge was fun, informative, and remarkably complex. The first step, as always, was to check the expanded description, which referenced the fact that “People often reuse aliases online.” So I looked into aliases for Uvogin.

Uvogin "This is what makes killing people so addictive! You know what gives me the most pleasure? Taking avengers like you and smacking them down!!' Uvogin to Kurapika in "RpntpmhAr C;nrv Pmt 4" Uvogin (t — Uböwn) was the late member #11 of the Phantom 2011 1999 Troupe, an infamous gang of criminals with class A bounties.[21 He was the strongest in terms of physical power in the Contents lhide) 1 Appearance 2 Personality • 3 Background . 4 Plot 4.1 Yorknew City arc 5 Equipment 6 Abilities & Powers 6.1 Nen • 7 Battles 8 Quotes 9 Trivia 9.1 Anime and Manga Differences 9.2 Intertextuality and References 9.3 Miscellaneous 10 Translations around the World Uvogin 11 References 12 Notes Römaji 13 Navigation Also known UbÖg\n LIVO Manga , IJbö) [by the
Trivia • In the official databookv his name IS also spelled as "Wbererguin"

With four potential names to look into, I got to work scouring the internet. I can’t read Kanji, so I limited my scope to Uvogin, Ubogin, and Wbererguin. Despite over an hour of searching, and asking all of the anime fans in my life for tips, I came up dry, so I broke out the Solution Guide, which pointed me to Sherlock. Sherlock, for those who aren’t familiar, is a fantastic tool for scouring social media platforms to search for usernames. I’ve used Sherlock dozens of times over the last year or so, both to show my friends how much of their lives can be aggregated almost instantaneously and to locate forgotten accounts of my own so I can either update the privacy settings or delete them outright.

Colbyakali :-/tools/programs/sherlock$ python3 sherlock uvogin Update Available! You are running version 0.12.9. Version ø.13.ø is available at https://git.io/sherlock Checking username uvogin on: 5øøpx: https ://5øøpx.com/p/uvogin 9GAG: https://wm.9gag.com/u/uvogin Academia.edu: https ://independent.academia.edu/uvogin Archive.org: https://archive.org/details/auvogin AskFM: https://ask.fm/uvogin Bandcamp: https://nu.bandcamp.com/uvogin BitBucket: https ://bitbucket.org/uvogin/ BodyBuilding: https://bodyspace.bodybuilding.com/uvogin Chess: https://wm.chess.com/member/uvogin Codecademy: https://wm.codecademy.com/profiles/uvogin DeviantART: https ://uvogin .deviantart.com Disqus: https://disqus.com/uvogin Docker Hub: https://hub.docker.com/u/uvogin/ Duolingo: https://nu.duolingo.com/profile/uvogin Ebay: https ://www.ebay.com/usr/uvogin EUo: https://eno.co/uvogin Euw: https://euw.op.gg/sumoner/userName=uvogin Facebook: https://www.facebook.com/uvogin FortniteTracker: https ://fortnitetracker.com/profile/all/uvogin Freelancer.com: https://www.freelancer.com/api/users/ø.1/users?usernames%5B%5D=uvogin8compact=true Freesound: https://freesound .org/people/uvogin/ Giphy: https://giphy.com/uvogin GitHub: https ://www.github.com/uvogin GoodReads: https://wm.goodreads.com/uvogin Gravatar: http://en.gravatar.com/uvogin Imgur: https://imgur.com/user/uvogin Instagram: https ://wm.instagram.com/uvogin Itch.io: https://uvogin.itch.io/ Kik: https ://kik.me/uvogin Kongregate: https://wm.kongregate.com/accounts/uvogin Letterboxd: https ://letterboxd.com/uvogin Lichess: https://lichess.org/a/uvogin Lolchess: https://lolchess.gg/profile/na/uvogin Memrise: https://wm.memrise.com/user/uvogin/ MyAnimeList: https://myanimelist.net/profile/uvogin

In this case, however, there was a bit of an issue: the sheer volume of accounts using Uvogin name and/or aliases. Despite being unemployed at the moment, I still didn’t have the available time to search each and every one of these links for hints.

Back to the Solution Guide I went, finding the alias I would need to search for (uv0gin), as well as the domain to seek out (Twitter).

Colbyakali python3 sherlock uvøgin [+1 [+1 [+1 [+1 [+1 [+1 Checking username uvøgin on: 5øøpx: https ://5øøpx.com/p/uvøgin Euw: https://euw.op.gg/sumoner/userName=uvøgin FortniteTracker: https ://fortnitetracker.com/profile/an/uvøgin Instagram: https://wm.instagram.com/uvøgin MyAnimeList: https://myanimelist.net/profile/uvøgin Redbubble: https://wm.redbubble.com/people/uvøgin Reddit: https ://wwu.reddit.com/user/uvøgin Roblox: https TikTok: https://tiktok.com/öuvøgin TraveUerspoint: https://www.travenerspoint.com/users/uvøgin Twitch: https•.//wm.twitch.tv/uvøgin Twitter: https ://mobile.twitter.com/uvøgin Xbox Gamertag: https ://xboxgamertag.com/search/uvøgin
Uvogin 1 Tweet Uvogin @uv0gin I'm done brawling with my fists, now I smash firewalls Joined April 2020 O Following O Followers Tweets Tweets & replies Media Follow Likes Uvogin @uv0gin Apr 3 I thOugh7 1 fln411y f0und a r311ab13 On11n3 stOr3 for b3v3rages. Turn5 Out It's mOr3 Ilk3 a ch3ck11st of wh4t NOT to do wh3n bulld1n6 a s3cure app. O stars 0

Great. Only one tweet. Using the Wayback Machine, however, there was an archived version of this page dating back to April of this year.

INTERNET ARCIIIVE Explore more than 486 billion web pages saved over time https://twitter.com/uvogin/ DONATE 2000 Results: 50 100 500 Calendar Collections ChangeS Summary Site Map Saved 3 times April 3, 2020. 1999 14 2001 10 17 2002 11 18 2003 2004 11 2005 2006 14 2007 15 2008 2009 10 17 2010 2011 13 20 2012 14 21 2013 2014 14 2015 16 2016 15 16 10 12 13 15 16 MAR 11 18 12 19 12 13 15 10 17 11 18

Upon loading that archived page, I was met with the solution to this challenge. Then it was just a matter of filling out the Forgotten Password form and changing Uvogin’s password.

Tweets Tweets & replies Uvogin @uv0gin 8m I Just watched Silence ofthe Lambs for the 18th time and it's still just as amazing as the first Sir Anthony Hopkins is the all-time best and there's no denying it 0
You successfully solved a challenge: Reset Uvogin's Password (Reset Uvogin's password via the Forgot Password mechanism with the original answer to his security question.) X

Prevention and Mitigation Strategies:

OWASP Security Question Cheat Sheet

Lessons Learned and Things Worth Mentioning:

Sherlock, while somewhat unstable at times, is a fantastic tool and is a fun way to show your friends why they should spend the time necessary to change privacy settings on their social media accounts. From EXIF data to social connections and long forgotten posts on disused platforms, Sherlock will aggregate websites with a treasure trove of personal data in mere seconds.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s