TryHackMe OWSAP juice shop deep dive. More than a CTF Walkthrough.
What is OWASP Juice Shop?
OWASP Juice Shop is a vulnerable web application for security risk awareness and training. It is an open-source project written in Node. js, Express, and Angular. There is a really good room on TryHackMe.com that covers some tasks from OWSAP Juice shop.
Accessing the website.
After you connect to try hack me VPN , and after you deployed the machine on this room, you can go ahead and enter the juice shop website using the given ip address. If you use the attackbox use the Firefox browser inside the attackbox to access the website.
Alright let’s get to the first question of the first task. It’s a very straight forward one . In any kind of application keeping admin emails private is fatal. Sadly, in this situation however, the admin has left a review while logged in as an admin. We can assume that this is an admin email, as it contains the word admin along side websites domain. This is a very useful piece of information for attackers. And this is also, the answer to our first question.
I don’t think I need to explain questions 2 and 3 of this task, as it is pretty starieght forward.
Now lets talk about task 3 which focuses on Injection vulnerabilities. There are many types of Injection methods such as SQL injection, Command injection and Email injection but for the sake of this video we will be focusing on SQL injection.
What is SQL?
Before we learn about SQL injection lets talk a little bit about SQL itself. SQL or structured query language is a database language used in many database to retrieve and manage relational databases.
For an example in a web application like this there will be a database containing all the data about users who have logged in. Information about those users such as their email addresses and their passwords are stored in these databases. SQL can be used to query those data.
I’m skipping Task 1 and 2 in this walkthrough as they are self explanatory.
Task 03 — Question 01
I’ve entered the following information as login details to the login page.
In this case when you try to login the website sends a HTTP request. And a SQL query like this is executed.
SELECT * FROM Users WHERE email = ‘hello@hi.com’ AND password = ‘5b56653h55781ce581499d7b701668’ AND deletedAt IS NULLThe entered username will go inside the first pair of quotes and the password is then encrypted and it will go inside these the second pair of quotes.
If we break this SQL query down this is what it means.
Select someone which is what the asterisk or wild card means in the users table where the username is this and the password is this. And since the the AND operator is being used both sides of the AND operator needs to be true for the whole statement to be true. And you can only log in to the website if the whole statement is true.
However since the data sent is not sanitized we can abuse these SQL queries in our favour .
One of the methods to do this is to change the HTTP request that is being sent when the login button is clicked. To do this we can use a programme called Burp Suite. (There is a room on try hack me about Burp Suite, unfortunately this is only for the paid version, but John Hammond have a good video about it.)
To catch a request in burp suite, we have to access the website with a browser with a certain proxy so that burp can listen and interfere those request made from that particular browser. You can do this on any browser or you can use burp suites built in browser as well. I’ll be using the built in browser for this tutorial.
A new chromium browser will open!
To catch a HTTP request being made intercept needs to be turned on which is on by default. When this mode is turned on every single request made will get intercepted by Burp and it will not go through. So we need to temporarily turn this off because we need to access this website first.
Let’s go to the website and let’s try to log-in again. Just make sure to turn intercept mode on before clicking log in button. If we head to Burp Suite now we can see that it have captured a request (if you see nothing here try changing tabs and come back to proxy tab.)
(this picture was taken from my YouTube video and i used different login credentials there )
the username and password here is then being converted into a SQL query like we saw before
Now, how can we use this information to login without knowing the password to a account. Well we can modify this requests email to something like this.Password in this case can be anything. I’ll talk about why that is later.
email : "‘ OR 1=1--"And now if we turn intercept mode off we can see that we are logged in as the admin and we are given the flag which is the answer to the first question in this task.
But how does this work. Well the request we send is converted into a SQL query like this. We can see some interesting things happening with this SQL query.
Lets break this down. First it end the first pair of quotes and then ads the OR keyword followed by 1 equals 1 and two dashes. First let’s talk about the two dashes , dashes are used for comments in SQL. Which means all code which comes after those two dashes are no longer functional, thus removing the piece of code that looks for the password. That’s why I said that password does not matter in this case. But the username field is still empty. That why the OR operator and 1 equals 1 is there. Remember when i said that AND operator outputs true if both statements are true, well the OR operators outputs true if either of those statements are true. So even though a username with a empty string does not exist in the database which should return false the statement is true either way because 1=1 is true. Thus the whole SQL statement becomes true and letting us to login to the user 0 or the first user in the database, which also happens to be a admin in this case.
Task 03 — Question 02
Cool. Now lets move on to the next question. So we knowing a email. But we already know some emails that are in those reviews. One of those account is Bender’s account. We can see his email again inside one of these reviews. Well, we use the same method we used last time except this time we know the email address.
So for this attack we can use change the HTTP request’s email to something like this.
email : “bander@juice-sh.op'--“But, why don’t we use 1=1 this time. Well we already know that this email already exist in the database, so we just need to comment out the part which search for the password so that the statement will be true. Thus letting us log in to bender’s account without knowing the password to it.
And the flag is also given!
