Hacking OWASP’s Juice Shop Pt. 61: Leaked Access Logs

Challenge: 

Name: Leaked Access Logs

Description: Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)

Difficulty: 5 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Solution Guide 

Methodology: 

The expanded description for this challenge is borderline explicit in how to begin this challenge. It mentions “a very popular help platform for developers”. Soooo Stack Overflow. After (checking the first solution guide bullet point to get the correct tag and…) a brief search, a pair of questions popped out at me. From spending so much time with the Developer Backup, I knew that “morgan” was a part of Juice Shop.

e, stack overflow 
Ask a Question 
169. 228. 10.248 
169. 228. 10.248 
169. 228. 10.248 
169. 228. 10.248 
169. 228. 10.248 
169. 228.10.248 
Products 
For Teams 
Searclv 
Asked 1 year, 5 months ago 
Active 1 year, 5 months ago 
Viewed 511 times 
Home 
puaLlC 
Stack Overflow 
THE COMPETITION 
Tags 
users 
FIND A Joa 
Jobs 
Companies 
TEAMS 
learn more 
Report this 
I am using to log HTTP requests and get log output like 
What's this? 
3 
R 
[27/ Jan/2019 39 
[27/ Jan/2019 : 11. 
• 40 
[27/ : 11. 
• 40 
[27/ : 11. 
• 40 
• 40 
[27/ : 11. 
• 40 
"POST /api,'Users/ HTTP/I.I" 400 
92 
"GET /rest/user/whoami HTTP/I.I" 
30 
"POST /rest/user/login HTTP/I.I" 
20 
"GET /rest/continue-code HTTP/I. 1' 
"GET /rest/user/whoami HTTP/I.I" 
20 
"GET 
Free 30 Day Trial 
(see brps://pastebin.com/4UIVICJju for more) 
Can I somehow reduce the verbosity of these logs? I am totally not interested in the browser 
information for example. Thanks in advance for your help! 
apache logging access-log morgan 
share improve this question follow 
asked Jul 16 '19 at 15:57 
bkimminich 
381 .2

The Pastebin link lined up perfectly with another part of the expanded description, which mentioned “a platform often used to share data quickly”.

PASTEBIN 
GO 
Untitled 
—i A GUEST 
JAN 27TH, 2019 
2,229 
API 
TOOLS 
NEVER 
FAQ 
Not a member of Pastebln yet? Sign up, it unlocks many cool features! 
raw download clone embed 
f SHARE 
"WEE' 
print report 
Apache Log 57.36 KB 
169.228.10.248 
"http : //localhost 
safari/537 .36" 
169.228.10.248 
: 11 . 
•15 +9906] "GET /rest/admin/application-contiguration HTTP/I.I" 299 9253 
: 30ß0/" 
"Mozi11a/5 . e 
: 11 . 
"Mozi11a/5.e (Windows NT 10.9; Win64; 
169.228.10.248 
"http : //localhost 
safari/537 .36" 
169.228.10.248 
"http : //localhost 
safari/537 .36" 
169.228.10.248 
"http : //localhost 
: 3060/" 
"Mozi11a/5. e 
: 30ß0/" 
"Mozi11a/5 . e 
: 3060/" 
"Mozi11a/5. e 
(Windows NT 10.9; Win64; x64) ApplewebKit/537.36 (KHTML, like Gecko) Chrome/71.9.3578.98 
•15 +9906] "GET /rest/admin/application-version HTTP/I.I" 269 28 "http://localhost:3099/" 
x64) ApplewebKit/537.36 (KHTML, like Gecko) Chrome/71.9.3578.98 safari/537.36" 
•15 +9906] "GET /rest/admin/application-contiguration HTTP/I.I" 304 
(Windows NT 10.9; Win64; x64) ApplewebKit/537.36 (KHTML, like Gecko) Chrome/71.9.3578.98 
"GET HTTP/I.I" 2߀ 570 
(Windows NT 10.9; Win64; x64) ApplewebKit/537.36 (KHTML, like Gecko) Chrome/71.9.3578.98 
•15 +9906] "GET /rest/admin/application-contiguration HTTP/I.I" 304 
(Windows NT 10.9; Win64; x64) ApplewebKit/537.36 (KHTML, like Gecko) Chrome/71.9.3578.98

Knowing that I was searching for a password, and also that the password reset link contains the word “current”, I searched the paste file and found both the current and new passwords for an unknown user.

225. 
161.194.17 .193 
+9906] "GET 
. .k8 HTTP/I.I" 401 39 "http://10ca1host:3ß@9/" 
Nexus 5X) ApplewebKit/537.36 (KHTML, like Gecko) Chrome/71.ß.3578.99 Mobile 
"Mozi11a/5.e (Linux; Android 8.1.9; 
safari/537 .36"

Then it was a matter of setting up a Burp Suite Intruder Sniper attack to try a password spraying attack.

Dashboard 
Target 
Target 
Payloads 
tru der 
Options 
Repeater 
Sequencer 
Decoder 
Comparer 
Extender 
Project c 
O Payload Positions 
Configure the positions where payloads will be inserted into the base request The attack type determines the w. 
Attack type Sniper 
POST ,'rest/user/login HI-rp/l.l 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
Accept 
Accept -Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
Content -Type: application/ j son 
Content -Length: 49 
Origin: http 
// I Ocal host 3000 
Connection: close 
Referer: http 
// I Ocal host 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
12 
14 
Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
contil 
Q9ushYt NUXHVuLhkt 91QTbcms3FzinfuspHzu6t1 cm slFaiafJsbu8Russhj Rt vycbx1g6C8Ziqj 
=G-e3H196hqr0LNffAAAD 
Siim@j uice-sh.op5 
email 
passwo rd 
sj aJasj . k"}
"su It Target 
Positions 
Filter: Showing all items 
Payload 
Request 
112934@juice-slmop 
Payloads 
Options 
tatu 
401 
Error 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Timeout 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Length 
Comme 
accountant@juice-slmop 
bender@juice-slmop 
bjoerm 
bjoern@juice-slmop 
bjoern@owasmorg 
chris pike@juice-slmop 
ciso@juice-slmop 
demo 
emma@juice-slmop 
jim@juice-slmop 
john@juice-slmop 
morty@juice-slmop

No luck. OK, back to the paste to see if something’s wrong there.

2 .k81

The “new” and “repeat” fields were filled in differently, meaning that the “current” password was almost certainly still the current password.

Dashboard 
Target 
Payloads 
Repeater 
Options 
Sequencer 
Decoder 
Comparer 
Extender 
Project 
Target 
ositio 
O Payload Positions 
Configure the positions where payloads will be inserted into the base request The attacktype determines the v, 
Attack type Sniper 
1 POST /rest/user/login HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
7 Content -Type: application/ j son 
Content -Length: 49 
Origin: http 
// I Ocal host 3000 
10 Connection: close 
Referer: http://localhost : 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
12 Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
cont] 
Q9ushYt NUXHVuLhkt 91QTbcms3FzinfvspHzu6t1 vycbx1g6C8Ziqj 
=G-e3H196hqr0LNffAAAD 
gj im@j uice-sh.0pS 
14 {"email 
password 
Fg1L6t '61

And yet it was not. The percent signs, however, indicate that the passwords I had scraped from the paste file were URL encoded, so I used Burp Suite’s Decoder to decode the password back into plain text.

Target 
ositio 
Payloads 
Options 
O Payload Positions 
Configure the positions where payloads will be inserted into the base request The attack type determines th 
Attack Sniper 
POST /rest/user/login HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, * / * 
Accept 
Accept -Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
Content -Type: application/ j son 
Content -Length: 49 
Origin: http 
// I Ocal host 3000 
Connection: close 
Referer: http 
// I Ocal host 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
12 
14 
Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss; cot 
Q9ushYt NUXHVuLhkt 91QTbcms3FzinfvspHzu6t1 Rt VYcbx1g6C8Z: 
=G-e3H196hqr0LNffAAAD 
Sjim@j ulce-sh. OPS 
email 
password

Of course one of the encoded characters would be the delimiter for Burp’s Intruder. With Burp off the table, I began manually cycling through the user table’s email addresses, using the login form until I found the right email address.

Login 
J12934@juice-sh.op 
Password 
Forgot your password? 
Log in 
Remember me 
G Log in with Google 
Not yet a customer?
You successfully solved a challenge: Leaked Access Logs (Dumpster dive the Internet for a leaked password and log in to 
the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)) X

Prevention and Mitigation Strategies:

OWASP Credential Stuffing Prevention Cheat Sheet

Lessons Learned and Things Worth Mentioning:

  1. Always check for URL encoding.
  2. Sometimes all it takes is a small hint above the expanded description to make the rest of the challenge come together.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s