OWASP-Juice-shop - TryHackMe !

-
juice

Task 1

when you go into the IP you can see juice store.

Task 2

Question #1: What’s the Administrator’s email address?

click the item on the juice shop and view the review

admin@juice-sh.op

Question #2: What parameter is used for searching?

when you search about a item , You can get the parameter name after the question mark.
(http://10.10.163.117/#/search?q=apple)

q

Question #3: What show does Jim reference in his review?

His review was the (Fresh out of a replicator.) and search this about google you can get the answer. what is the replicator ?

star trek

Task 3

Question #1: Log into the administrator account!

In this case we need to get to the admin account this will be easy injection. first we need to go to the login page and Type like this:
’ or 1=1-- and password to whatever you like. Here we go now you in the admin account.

Task 4

Question #1: Bruteforce the Administrator account’s password!

They provide a guideline to do this. when you done the brute force you
can get a output like this.

So we hit the jackpot admin password was the admin123, how silly ?
Log into the account with credentials. we can get our flag.

Question #2: Reset Jim’s password!

Answer for that security question : Samuel
Give a password with a numbers like this : any123

Task 5

Question #1: Access the Confidential Document!

When you go into the about page you can see the link.You will see that it links to http://10.10.141.210/ftp/legal.md. Navigating to that /ftp/ directory reveals that it is exposed to the public!

They said about http://10.10.141.210/ftp/acquisitions.md this file in the documentation. Go ahead download it. After download it look at the web page you received a flag.

Question #2: Log into MC SafeSearch’s account!

After We read the documentation now we know the password to the mc.safesearch@juice-sh.op account is “Mr. N00dles”

Task 6

Question #1: Access the administration page!

Follow the step by steps as documentation said after you found administration page hint. you need to be a admin to access this page.
(admin@juice-sh.op:admin123)

Question #2: View another user’s shopping basket!

Login to the Admin account and click on ‘Your Basket’. Make sure Burp is running so you can capture the request!
Forward each request until you see: GET /rest/basket/1 HTTP/1.1
After that You need to change /basket/2 like this

Question #3: Remove all 5-star reviews!

Navigate to the http://10.10.141.210/#/administration page again and click the bin icon next to the review with 5 stars!

Task 7

Question #1: Perform a DOM XSS!

Type this on the Search bar :

<iframe src="javascript:alert(`hello`)">

Question #2: Perform a persistent XSS!

Do as they say about documentation you can get the flag. How i add a request in new version of burp ?

Question #3: Perform a reflected XSS!

Replace the script like this :

http://10.10.141.210/#/track-result?id=<iframe src%3D"javascript:alert(`xss`)">

Task 8

Access the /#/score-board/ page

when you log out and go to the score board you able to see the flag.
http://10.10.141.210/#/score-board/

Popular posts from this blog

Mustacchio - TryHackMe

-
Image
thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t
Read more

Tech_Supp0rt: 1 - TryHackMe

-
Image
Welcome file Welcome to another CTF-writeup !! Tech_support:1 by vikaran. What we can learn from this machine. nmap scan , smbmap etc. (enumeration skills) subrion cms 4.2.1 RCE iconv sudo permission to overwritten files and read the files Let’s start with enumeration. First with nmap to see what port we have in the box. Nmap scan ┌── ( defalt@kali ) - [ ~/Documents/tryhackme/Tech_Supp0rt:1 ] └─$ nmap -sC -sV 10.10.168.200 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 21:29 PDT Nmap scan report for 10.10.168.20 Host is up ( 0.37s latency ) . Not shown: 996 closed tcp ports ( conn-refused ) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 10:8a:f5:72:d7:f9:7e:14:a5:c5:4f:9e:97:8b:3d:58 ( RSA ) | 256 7f:10:f5:57:41:3c:71:db:b5:5b:db:75:c9:76:30:5c ( ECDSA ) | _ 256 6b:4c:23:50:6f:36:00:7c:a6:7c:11:73:c1:a8:60:0c ( ED25519 ) 80/tcp open http Apache ht
Read more

Juicy Details - TryHackMe

-
Image
thm What we can learn from this machine? How to read and understand the firefox log files About sql injection Reconnaissance What tools did the attacker use? (Order by the occurrence in the log) : : ffff : 192.168 . 10.5 - - [ 11 / Apr / 2021 : 09 : 08 : 34 + 0000 ] "POST / HTTP/1.1" 200 1924 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)" : : ffff : 192.168 . 10.5 - - [ 11 / Apr / 2021 : 09 : 16 : 29 + 0000 ] "POST /rest/user/login HTTP/1.0" 401 26 "-" "Mozilla/5.0 (Hydra)" : : ffff : 192.168 . 10.5 - - [ 11 / Apr / 2021 : 09 : 29 : 14 + 0000 ] "GET /rest/products/search?q=1 HTTP/1.1" 200 - "-" "sqlmap/1.5.2#stable (http://sqlmap.org)" : : ffff : 192.168 . 10.5 - - [ 11 / Apr / 2021 : 09 : 32 : 51 + 0000 ] "GET /rest/products/search?q=qwert%27))%20UNION%20SELECT%20id,%20email,%20passwor
Read more