OWASP Juice Shop TryHackMe Writeup/Walkthrough

Shivam Taneja
6 min readSep 12, 2022

--

OWASP Juice Shop — Tryhackme

This is the write up for the room OWASP Juice Shop on Tryhackme

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.

Tasks for OWASP Juice Shop room

Task 1:

Start the attached VM then read all that is in the task and press complete on the next two questions

Task 2:

First make sure Burp suite is configured the correct way. Turn interceptor off but burp on in FoxyProxy.

Now open firefox and navigate to the site by entering the MACHINE_IP into firefox

2.1 What’s the Administrator’s email address?

The answer can be found by just following along with the question. But do follow it also with Firefox

Answer: admin@juice-sh.op

2.2 What parameter is used for searching?

This answer is also in the text of the question. But do follow along with firefox

Answer: q

2.3 What show does Jim reference in his review?

Follow along with the steps in the test of the question

Answer: Star Trek

Task 3

3.1 Log into the administrator account!

Navigate to the login page and enter the admin email address and a makeup password. Does not matter what. In Burpsuite make sure you have intercept on and then press the login button.

Now in burpsuite press the follow button until you see the email. Then change that field as stated in the question

Press forward and notice in firefox you are login in as admin. Turn intercept off in Burpsuite and the answer of the question will reveal itself

3.2 Log into the Bender account!

Same as the previous question. Go to login screen. Turn intercept on in Burpsuite and press login

Now forward the requests and notice in Firefox the answer of this question

Task 4

4.1 Bruteforce the Administrator account’s password!

Go back to the login page. Enter the admin email and a make up password. Turn on intercept in Burpsuite and press login on the login page.

Press forward in Burpsuite until you see the email.

Now right click and select send to repeater

Press intruder tab which now is highlighted. Then press Positions

On the right-side press Clear

now select the password and press Add

Now press Payload. Then Press the load button to load the list as stated in the question

Now press the attack button

Once finished look for the 200 OK request in the status. Then login with that password so the answer of the question can reveal itself.

4.2 Reset Jim’s password!

Follow along with the tutorial already given in this question. Reset the password and the answer will reveal itself. Just go to the login page and click for password

Task 5

5.1 Access the Confidential Document!

Got to MACHINE_IP/ftp and download the incident-support.kdbx . This is a keypass database which can be cracked. Then go to the main site and the answer of the question will reveal itself

5.2 Log into MC SafeSearch’s account!

Follow along with the text of the question and you will get the answer

navigate to MACHINE_IP/ftp/package.json.bak%2500.md Save the file and navigate to the main site with Firefox and the answer will reveal itself

Task 6

6.1 Access the administration page!

Open the webpage in Firefox and press F12 this will bring up the developers console. Look for the file main-es2015.js Right click on it then press open in debugger

At the button click on the {} icon

Now click anywhere in the file then press control +f to start a search. Type admin in the searchbox and look for path: “administration”

Now we know there is an admin page on MACHINE_IP/#/administration

Login as the admin we found earlier and navigate to MACHINE_IP/#/administration we found to reveal the answer of this question

6.2 View another user’s shopping basket!

Make sure you are logged in as admin. The turn on intercept in burp. Navigate to your shopping basket. in Burpsuite press forward until you see GET /rest/basket/1 in the Raw field. Change it to GET/ rest/basket/2 and forward that request. You see your basket is different. You are now viewing someone else basket. Forward all or turn of the intercept in Burpsuite so the answer of this question can reveal itself

6.3 Remove all 5-star reviews!

We are still logged in as admin. Go to MACHINE_UP/#/administration and remove a customer 5 star feedback. Once this is done the answer will reveal itself

Task 7

7.1 Perform a DOM XSS!

Enter the following code in the searchbar <iframe src=”javascript:alert(`xss`)”> then press ok and the answer will reveal itself

7.2 Perform a persistent XSS!

Follow along with the given textin the question.

Login with the admin account admin@juice-sh.op . Go to the last login IP page MACHINE_IP/#/privacy-security/last-login-ip

Turn on burpsuite and log out. Now it captures the logout request. Go to Headers and press the add button and add the following

True-Client-IP

<iframe src=”javascript:alert(`xss`)”>

Make sure the GET value represent the savelogin

Login back in as admin admin@juice-sh.op and the answer of the question will reveal itself

7.3 Perform a reflected XSS!

Make sure you are still logged in as admin admin@juice-sh.op then Following along with the text in the question. navigate to MACHINE_IP/#/track-result?id=ADD THE IFRAME CODE HERE

If it does not work the first time then press F5

The answer will reveal itself when done

Task 8

Access the /#/score-board/ page

Navigate to MACHINE_IP/#/score-board/ and the answer will reveal itself

Conclusion OWASP Juice Shop on Tryhackme

This room is fun to do. If you read it all carefully you should not have any issues on completing this room.

--

--

Shivam Taneja
Shivam Taneja

Written by Shivam Taneja

IT Security Consultant, Researcher, Penetration Tester & Hacker.