Hacking OWASP’s Juice Shop Pt. 61: Leaked Access Logs

Challenge:

Name: Leaked Access Logs

Description: Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)

Difficulty: 5 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Solution Guide

Methodology:

The expanded description for this challenge is borderline explicit in how to begin this challenge. It mentions “a very popular help platform for developers”. Soooo Stack Overflow. After (checking the first solution guide bullet point to get the correct tag and…) a brief search, a pair of questions popped out at me. From spending so much time with the Developer Backup, I knew that “morgan” was a part of Juice Shop.

e, stack overflow
Ask a Question
169. 228. 10.248
169. 228. 10.248
169. 228. 10.248
169. 228. 10.248
169. 228. 10.248
169. 228.10.248
Products
For Teams
Searclv
Asked 1 year, 5 months ago
Active 1 year, 5 months ago
Viewed 511 times
Home
puaLlC
Stack Overflow
THE COMPETITION
Tags
users
FIND A Joa
Jobs
Companies
TEAMS
learn more
Report this
I am using to log HTTP requests and get log output like
What's this?
3
R
[27/ Jan/2019 39
[27/ Jan/2019 : 11.
• 40
[27/ : 11.
• 40
[27/ : 11.
• 40
• 40
[27/ : 11.
• 40
"POST /api,'Users/ HTTP/I.I" 400
92
"GET /rest/user/whoami HTTP/I.I"
30
"POST /rest/user/login HTTP/I.I"
20
"GET /rest/continue-code HTTP/I. 1'
"GET /rest/user/whoami HTTP/I.I"
20
"GET
Free 30 Day Trial
(see brps://pastebin.com/4UIVICJju for more)
Can I somehow reduce the verbosity of these logs? I am totally not interested in the browser
information for example. Thanks in advance for your help!
apache logging access-log morgan
share improve this question follow
asked Jul 16 '19 at 15:57
bkimminich
381 .2

The Pastebin link lined up perfectly with another part of the expanded description, which mentioned “a platform often used to share data quickly”.

Knowing that I was searching for a password, and also that the password reset link contains the word “current”, I searched the paste file and found both the current and new passwords for an unknown user.

225.
161.194.17 .193
+9906] "GET
. .k8 HTTP/I.I" 401 39 "http://10ca1host:3ß@9/"
Nexus 5X) ApplewebKit/537.36 (KHTML, like Gecko) Chrome/71.ß.3578.99 Mobile
"Mozi11a/5.e (Linux; Android 8.1.9;
safari/537 .36"

Then it was a matter of setting up a Burp Suite Intruder Sniper attack to try a password spraying attack.

Dashboard
Target
Target
Payloads
tru der
Options
Repeater
Sequencer
Decoder
Comparer
Extender
Project c
O Payload Positions
Configure the positions where payloads will be inserted into the base request The attack type determines the w.
Attack type Sniper
POST ,'rest/user/login HI-rp/l.l
Host: local host 3000
User-Agent: MoziIIa/S.O (X
11; Linux x86 64;
application/ j son, text/ plain,
Accept
Accept -Language: en-lJS, en; q=O.S
Accept -Encoding: gzip, deflate
Content -Type: application/ j son
Content -Length: 49
Origin: http
// I Ocal host 3000
Connection: close
Referer: http
// I Ocal host 3000/
rv.78.o)
Gecko,'20100101 Firefox,'78.o
12
14
Cookie: language=en; welcomebanner status=dismiss;
cookieconsent status=dismiss,
contil
Q9ushYt NUXHVuLhkt 91QTbcms3FzinfuspHzu6t1 cm slFaiafJsbu8Russhj Rt vycbx1g6C8Ziqj
=G-e3H196hqr0LNffAAAD
Siim@j uice-sh.op5
email
passwo rd
sj aJasj . k"}

"su It Target
Positions
Filter: Showing all items
Payload
Request
112934@juice-slmop
Payloads
Options
tatu
401
Error
o
o
o
o
o
o
o
o
o
o
o
o
o
Timeout
o
o
o
o
o
o
o
o
o
o
o
o
o
Length
Comme
accountant@juice-slmop
bender@juice-slmop
bjoerm
bjoern@juice-slmop
bjoern@owasmorg
chris pike@juice-slmop
ciso@juice-slmop
demo
emma@juice-slmop
jim@juice-slmop
john@juice-slmop
morty@juice-slmop

No luck. OK, back to the paste to see if something’s wrong there.

The “new” and “repeat” fields were filled in differently, meaning that the “current” password was almost certainly still the current password.

Dashboard
Target
Payloads
Repeater
Options
Sequencer
Decoder
Comparer
Extender
Project
Target
ositio
O Payload Positions
Configure the positions where payloads will be inserted into the base request The attacktype determines the v,
Attack type Sniper
1 POST /rest/user/login HTTP/I.I
Host: local host 3000
User-Agent: MoziIIa/S.O (X
11; Linux x86 64;
application/ j son, text/ plain,
4 Accept
S Accept -Language: en-lJS,
Accept -Encoding: gzip, deflate
7 Content -Type: application/ j son
Content -Length: 49
Origin: http
// I Ocal host 3000
10 Connection: close
Referer: http://localhost : 3000/
rv.78.o)
Gecko,'20100101 Firefox,'78.o
12 Cookie: language=en; welcomebanner status=dismiss;
cookieconsent status=dismiss,
cont]
Q9ushYt NUXHVuLhkt 91QTbcms3FzinfvspHzu6t1 vycbx1g6C8Ziqj
=G-e3H196hqr0LNffAAAD
gj im@j uice-sh.0pS
14 {"email
password
Fg1L6t '61

And yet it was not. The percent signs, however, indicate that the passwords I had scraped from the paste file were URL encoded, so I used Burp Suite’s Decoder to decode the password back into plain text.

Target
ositio
Payloads
Options
O Payload Positions
Configure the positions where payloads will be inserted into the base request The attack type determines th
Attack Sniper
POST /rest/user/login HTTP/I.I
Host: local host 3000
User-Agent: MoziIIa/S.O (X
11; Linux x86 64;
application/ j son, text/ plain, * / *
Accept
Accept -Language: en-lJS, en; q=O.S
Accept -Encoding: gzip, deflate
Content -Type: application/ j son
Content -Length: 49
Origin: http
// I Ocal host 3000
Connection: close
Referer: http
// I Ocal host 3000/
rv.78.o)
Gecko,'20100101 Firefox,'78.o
12
14
Cookie: language=en; welcomebanner status=dismiss;
cookieconsent status=dismiss; cot
Q9ushYt NUXHVuLhkt 91QTbcms3FzinfvspHzu6t1 Rt VYcbx1g6C8Z:
=G-e3H196hqr0LNffAAAD
Sjim@j ulce-sh. OPS
email
password

Of course one of the encoded characters would be the delimiter for Burp’s Intruder. With Burp off the table, I began manually cycling through the user table’s email addresses, using the login form until I found the right email address.

Login
J12934@juice-sh.op
Password
Forgot your password?
Log in
Remember me
G Log in with Google
Not yet a customer?

You successfully solved a challenge: Leaked Access Logs (Dumpster dive the Internet for a leaked password and log in to
the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)) X

Prevention and Mitigation Strategies:

OWASP Credential Stuffing Prevention Cheat Sheet

Lessons Learned and Things Worth Mentioning:

Always check for URL encoding.
Sometimes all it takes is a small hint above the expanded description to make the rest of the challenge come together.

Curiosity Kills Colby

Northwestern Misadventures

Hacking OWASP’s Juice Shop Pt. 61: Leaked Access Logs

Leave a Reply Cancel reply

Share this:

Like this:

Related

Leave a Reply Cancel reply