🏠 Home BlogXGitHubπŸ“š Buy Me a BookπŸ“§ Contact
Edit

Juice Shop

tryhackme.com - Β© TryHackMe

🌐 Resources πŸ”—

Enumeration

SQL Injection - Login

  • Admin - request:

{"email":"' or 1=1--","password":"aa"}

{"email":"[email protected]'--","password":"a"}

Broken Authentication - Brute force

  • Login request to Intruder (Burp Suite) - brute force password with /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt

Sensitive Data Exposure

  • FTP public at /ftp

  • Find [email protected] password

    • listen - https://www.youtube.com/watch?v=v59CX2DiX0Y

Poison Null Byte

URL Encoding and Null Bytes:

  • In URLs, the null byte (\x00) is encoded as %00.

  • Some web servers and applications improperly decode %00, interpreting it as a null byte, which can terminate strings prematurely.

Mismatch in Validation vs. Execution:

  • During validation, the application might check the entire string.

  • During execution, if the backend uses C-style string handling, the string stops at the null byte.

  • This mismatch can cause security checks to be bypassed.

The %2500 encoding is an extra layer of obfuscation:

  • %25 is the literal encoding of %, so %2500 decodes to %00.

  • This may be necessary when certain servers or filters block %00 directly, but fail to handle double-encoded payloads like %2500.

Broken Access Control

Go to http://10.10.212.2/main-es2015.js

  • F12 Dev Tools - Sources - main-es2015.js

    • Search for path: "administration"

    • go to http://10.10.212.2/#/administration

To view another user's shopping basket Go to http://10.10.212.2/#/basket

  • change to GET /rest/basket/2

Go to http://machine_ip/#/administration

  • Remove 5 stars reviews

Cross-Site Scripting (XSS)

DOM XSS (Special)

  • Document Object Model-based Cross-site Scripting

Input the following in the search bar

  • XFS (Cross-Frame Scripting)

Persistent (Server-side)

With admin, go to http://10.10.212.2/#/privacy-security/last-login-ip

  • turn Burp interceptor on, and logout

  • for the GET /rest/saveLoginIp request, got to Headers tab and add a new header

  • Forward the request

  • Upon signing back into the admin account and revisiting the "Last Login IP" page, the XSS alert will trigger!

  • The True-Client-IP header functions similarly to the X-Forwarded-For header, as both inform the server or proxy about the client's IP address. However, due to the lack of proper sanitization in the header, we can exploit it to execute an XSS attack

Reflected (Client-side)

With admin, go to http://10.10.212.2/#/order-history

  • click truck icon - http://10.10.212.2/#/track-result?id=5267-8f615dcb73f36818

  • Use the following iframe XSS in the place of the 5267-8f615dcb73f36818

  • Submit the URL, refresh the page, and an alert displaying "XSS" will appear!

  • The server uses a lookup table or database (depending on its configuration) to manage each tracking ID. Since the id parameter is not sanitized before being processed by the server, this allows us to execute an XSS attack

Solve other chalenges by checking http://10.10.212.2/#/score-board

Metrics challenge

http://10.10.212.2/metrics

PreviousIntro to Defensive SecurityNextUpload Vulnerabilities

Last updated

Was this helpful?