Open in app

Sign in

Write

Sign in

TryHackMe: OWASP Juice Shop — Walkthrough

CoryBantic NSP Security
7 min readJun 14, 2023

--

TLDR: This is a walkthrough for the OWASP Juice Shop on TryHackMe. I will have screenshots, my method, and the answers.

This is meant for those that do not have their own virtual machines and want to use what is provided by TryHackMe. Before you begin this room it is recommended that you have completed the rooms:

Web Fundamentals
Burpsuite Basics
Burpsuite Repeater

All done? Let’s get into it.

TASK 1: OPEN FOR BUSINESS

The Juice Shop is a large application, so they don’t cover the entire OWASP 10, but they do cover these five topics:

Injection
Broken Authentication
Sensitive Data Exposure
Broken Access Control
Cross-Site Scripting XSS

Questions

Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.

Answer: No answer needed

Once the machine has loaded, access it by copying and pasting its IP into your browser; if you’re using the browser-based machine, paste the machines IP into a browser on that machine.

Answer: No answer needed

TASK 2: Let’s go on an adventure!

Before we get into the actual hacking part, it’s good to have a look around. In Burp, set the Intercept mode to off and then browse around the site. This allows Burp to log different requests from the server that may be helpful later.

This is called walking through the application, which is also a form of reconnaissance!

Basically, take a look at everything and see if anything sticks out. I clicked on the first product, which was apple juice, and immediately saw a review left by admin@juice-sh.op. This answers the first question.

Question #1: What’s the Administrator’s email address?

Answer: admin@juice-sh.op

Click on the magnifying glass in the top right of the application will pop out a search bar.

We can then input some text and by pressing Enter will search for the text which was just inputted.

Now pay attention to the URL which will now update with the text we just entered.

We can now see the search parameter after the /#/search? the letter q

Question #2: What parameter is used for searching?

Answer: q

Question #3: What show does Jim reference in his review?

Jim did a review on the Green Smoothie product. We can see that he mentions a replicator.

If we google “replicator” we will get the results indicating that it is from a TV show called Star Trek

Answer: Star Trek

Task 3: Inject the juice

This may be a bit confusing with how to do this. You’ll need to open BurpSuite. You don’t need to change any settings or update anything for this purpose.

The first question asks you to log into the administrator account. We may actually already know the email (maybe admin@juice-sh.op), but we don’t know the password. Make sure that BurpSuite is active and intercept made is ‘on’ before you attempt to login.

Once you attempt to log in, you should receive the flag.

Now we are going to log into bender@juice-sh.op the same way. The password doesn’t matter.

Once you submit, you should get the flag.

Answer the questions below

Question #1: Log into the administrator account!

After we navigate to the login page, enter some data into the email and password fields.

Before clicking submit, make sure Intercept mode is on.

This will allow us to see the data been sent to the server!

We will now change the “a” next to the email to: ‘ or 1=1 — and forward it to the server.

Why does this work?

  1. The character will close the brackets in the SQL query
  2. ‘OR’ in a SQL statement will return true if either side of it is true. As 1=1 is always true, the whole statement is true. Thus it will tell the server that the email is valid, and log us into user id 0, which happens to be the administrator account.
  3. The character is used in SQL to comment out data, any restrictions on the login will no longer work as they are interpreted as a comment. This is like the # and // comment in python and javascript respectively.

Answer: 32a5e0f21372bcc1000a6088b93b458e41f0e02a

Question #2: Log into the Bender account!

Similar to what we did in Question #1, we will now log into Bender’s account! Capture the login request again, but this time we will put: bender@juice-sh.op’ — as the email.

Now, forward that to the server!

But why don’t we put the 1=1?

Well, as the email address is valid (which will return true), we do not need to force it to be true. Thus we are able to use ‘ — to bypass the login system. Note the 1=1 can be used when the email or username is not known or invalid.

Answer: fb364762a3c102b2db932069c0e6b78e738d4066

Task 4: Who broke my lock?!

Questions

Go to burpsuite and activate the ‘Intruder’ tab. Head to ‘Positions’, and ‘Clear §’ button.

Question #1: Bruteforce the Administrator account’s password!

We have used SQL Injection to log into the Administrator account but we still don’t know the password. Let’s try a brute-force attack! We will once again capture a login request, but instead of sending it through the proxy, we will send it to Intruder.

Go to Positions and then select the Clear § button. In the password field place two § inside the quotes. To clarify, the § § is not two sperate inputs but rather Burp’s implementation of quotations e.g. “”. The request should look like the image below.

For the payload, we will be using the best1050.txt from Seclists. (Which can be installed via: apt-get install seclists). You can load the list from /usr/share/seclists/Passwords/Common-Credentials/best1050.txt.

NOTE: I used an Attacker Box and had trouble with the previous step. apt-get install seclists did not work and the above directory did not exist. I figured out the location: /root/Tools/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt.

You should select the following Runtime file as Payload type.

Once the file is loaded into Burp, start the attack. You will want to filter for the request by status. A failed request will receive a 401 Unauthorized, whereas a successful request will return a 200 OK.

We found the password. Now let’s login to the account with the password.

Answer: c2110d06dc6f81c67cd8099ff0ba601241f1ac0e

Question #2: Reset Jim’s password!

Believe it or not, the reset password mechanism can also be exploited! When inputted into the email field in the Forgot Password page, Jim’s security question is set to “Your eldest siblings middle name?”.

Note: Jim’s email is jim@juice-sh.op

In Task 2, we found that Jim might have something to do with Star Trek. Googling “Jim Star Trek” gives us a wiki page for Jame T. Kirk from Star Trek.Looking through the wiki page we find that he has a brother. Looks like his brother’s middle name is Samuel

Inputting that into the Forgot Password page allows you to successfully change his password. You can change it to anything you want!

Answer: 094fbc9b48e525150ba97d05b942bbf114987257

More to come soon. Unfortunately, at this time I’m having issues with Burpsuite in this room. As soon as I figure out the issue I will revisit this walkthrough.

Task 5: AH! Don’t look!

Task 6: Who’s flying this thing?

Task 7: Where did that come from?

Task 8: Exploration!

Owasp Juice Shop
Walkthrough
Owasp
Tryhackme
Tryhackme Walkthrough

--

--

CoryBantic NSP Security

Written by CoryBantic NSP Security

34 Followers

Cybersecurity Professional | Freelance Writer | Veteran

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams