Juice Shop Walkthrough - 3 Star (Part 1)

The previous Juice Shop walkthroughs were getting quite lengthy, and have demanded that I break these into subsections.   For this post I will be completing the first 5 of 13 challenges of the 3 stars.  

The first challenge is described as a Token Sale that we must discover before the official announcement.  The Juice Shop at this point has been fairly well covered, and has been traveled completely. There was no mention of a Token Sale in the comments either.  Looking to the hint to see if it will nudge us in the right direction. The hint tells us that the developers truly believe in "Security through Obscurity" over actual access restrictions.  Security Through Obscurity (STO) is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms.  One thing I have learned through years of penetration testing is that many developers think that by not having any links or references to particular directories that security researches or attackers will not find the hidden page.  Yes, it does make it harder, but the page will still be publicly facing, and thus opens the hidden items more likely to be found through brute-forcing methods.  

There are multiple ways of brute-forcing hidden methods.    One of which is using a tool such as Gobuster to send many different requests to the web server to find hidden content.  However, brute-forcing in this method can be time intensive, and can have unwanted results.  This leads us to researching how the Juice Shop application handles links, and hidden directories.  

Juice Shop is written in Node.js, Express and AngularJS.  What you need to know is that AngularJS supports Single Page Application via multiple views on a single page. To do this AngularJS has provided ng-view and ng-template directives and $routeProvider services.  What this means for Juice Shop challenge number one is that we can open the juice-shop.min.js file and look for any views that might be recorded.  The screenshot below shows what the juice-shop.min.js AngularJS file looks like in the browser.  

This can be very difficult to sift through, but there are open-source tools available that will convert the blob of text shown above into the clean looking code below.  

For the screenshot above I used Sublime Text 3, and the package JavaScript Beautifier.  You can learn more about the package here.  Now that we have the client side code into Sublime Text 3 we can easily search through for the Token Sale.   Searching for view in Sublime Text has resulted in 134 matches, but many of these are just subsets of the word view.  

Such as the word preview was found, and others like this.  We can use Sublime Text's advanced search features to look more specifically.  I simply searched for iteration of Token and Sale, which led to the screenshot below.

Navigating to /#/TokenSale.html and /#/TokenSale does not work, and simply redirects back to the homepage.  When reviewing the source code in the screenshot above it appears that the line with (25,184,174,179,182,186)+36669.toString(36).  

Extracting this interesting JavaScript and pasting it into the browser's JavaScript Console window returns the string /tokensale-ico-ea.   To show case an additional method, in the screenshot below, you can use the popular online testing site JSFiddle.  In the example below I also added an alert function to have the string pop up in the browser for easier viewing.  

Once we navigate to the /tokensale-ico-ea directory we will be greeted with the Initial Coin Offering page, and as well the challenge completion popup.  

The next challenge instructs us to post a comment as a different user.  This seems fairly straight forward, and might be similar to the previous blog post when we intercepted the star rating from the /#/contact/ page.  We will return to the Contact Us page as an authenticated user, and submit another review for the Juice Shop.  Make sure to have your BurpSuite interception on to ensure the POST request is captured.  

You will see from the screenshot below that when the POST request is made to make a comment it has a field for UserId.  Simply changing this to a number lower than our current user number will result in the comment being placed by a different user.  This should be enough to complete the challenge appropriately.  

The next challenge asks for the attacker to access a Salesman's forgotten file.  We can recall from the previous blog post that there were some additional files under /ftp directory.  Which of these files look like something a Salesman might access?  The coupons_2013.md.bak looks promising let's download that file.  

Using the method described in one of the previous blog posts we can bypass the .pdf and .md restrictions by double URL encoding.  The string %2500.pdf will work to bypass the restrictions.  This will allow the download of the coupons, and the completion of this challenge.

The last two challenges for this blog post are to login to Bender's and Jim's accounts using any method.  In this previous blog post we discovered that the authentication was easily bypassed by adding OR 1=1.  This simple bypass will work for both of the challenges.  The only thing we need to know is the email addresses for the two users.  Which if we remember that going to the /#/administration page we can view the registered emails.  

This will wrap it up for the first 5 challenges of the 3 start challenges.  Until next time!