Hacking the Juice Shop: Information Gathering

The Juice Shop is an intentionally vulnerable web application developed by the Open Web Application Security Project (OWASP). It has a series of challenges that allow hackers to learn how to exploit many of the vulnerabilities that fall under the OWASP Top 10.

I’m going to be posting a series of articles that effectively documents a miniature penetration test, which, generally speaking, consists of the following stages:

  1. Pre-engagement Interactions
  2. Reconnaissance / Information Gathering
  3. Scanning
  4. Vulnerability Assessment
  5. Exploitation
  6. Reporting

These phases aren’t always linear. It’s best to think of it as an iterative process. For example: scanning, enumeration and exploitation can all provide additional insights about the system under test, so as hackers we are constantly gathering information which can be used to perform further exploits.

PRE-ENGAGEMENT INTERACTIONS

I am studying to become a penetration tester, so this series is my attempt at showcasing my skills through the entire lifecycle of an engagement.

However, as a working mom, I simply don’t have the time or resources to dedicate to simulating a complete, full-scale penetration test.

One of the first steps involved in penetration testing (pre-engagement) is defining scope. Let’s do that.

I will focus solely on the Juice Shop application, not to include white box testing (SAST), or attacking the associated operating system/network.

I will document only a small portion of each stage and the vulnerabilities/exploits available on Juice Shop.

I will be using Kali Linux as the attacking machine, using a docker container to locally host the vulnerable web application Juice Shop.

INFORMATION GATHERING

FINGERPRINTING

• Determine the version and type of a running web server to enable further discovery of any known vulnerabilities.
• Fingerprint the components being used by the web applications

Note: As the application is hosted in a docker container on the attacking Kali VM, fingerprinting results may not be entirely accurate.

Fingerprint web server:

$ nmap -sV 192.168.0.102 -p 3000   
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-20 13:08 EDT
Nmap scan report for 192.168.0.102
Host is up (0.00012s latency).

PORT     STATE SERVICE VERSION
3000/tcp open  ppp?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=5/20%Time=6287CB2D%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,962,"HTTP/1\.1\x20200\x20OK\r\nAccess-Control-Allow-Origin:\x2
SF:0\*\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20SAMEOR
SF:IGIN\r\nFeature-Policy:\x20payment\x20'self'\r\nAccept-Ranges:\x20bytes
SF:\r\nCache-Control:\x20public,\x20max-age=0\r\nLast-Modified:\x20Thu,\x2
SF:019\x20May\x202022\x2016:07:26\x20GMT\r\nETag:\x20W/\"7c3-180dd12ec2e\"
SF:\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nContent-Length:\x20
SF:1987\r\nVary:\x20Accept-Encoding\r\nDate:\x20Fri,\x2020\x20May\x202022\
SF:x2017:09:01\x20GMT\r\nConnection:\x20close\r\n\r\n<!--\n\x20\x20~\x20Co
SF:pyright\x20\(c\)\x202014-2022\x20Bjoern\x20Kimminich\x20&\x20the\x20OWA
SF:SP\x20Juice\x20Shop\x20contributors\.\n\x20\x20~\x20SPDX-License-Identi
SF:fier:\x20MIT\n\x20\x20--><!DOCTYPE\x20html><html\x20lang=\"en\"><head>\
SF:n\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20<title>OWASP\x20Juice\x20
SF:Shop</title>\n\x20\x20<meta\x20name=\"description\"\x20content=\"Probab
SF:ly\x20the\x20most\x20modern\x20and\x20sophisticated\x20insecure\x20web\
SF:x20application\">\n\x20\x20<meta\x20name=\"viewport\"\x20content=\"widt
SF:h=device-width,\x20initial-scale=1\">\n\x20\x20<link\x20id=\"favicon\"\
SF:x20rel=\"icon\"\x20type=\"image/x-icon\"\x20href=\"assets/public/favico
SF:n_js\.ico")%r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection
SF::\x20close\r\n\r\n")%r(NCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCo
SF:nnection:\x20close\r\n\r\n")%r(HTTPOptions,EA,"HTTP/1\.1\x20204\x20No\x
SF:20Content\r\nAccess-Control-Allow-Origin:\x20\*\r\nAccess-Control-Allow
SF:-Methods:\x20GET,HEAD,PUT,PATCH,POST,DELETE\r\nVary:\x20Access-Control-
SF:Request-Headers\r\nContent-Length:\x200\r\nDate:\x20Fri,\x2020\x20May\x
SF:202022\x2017:09:01\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPReque
SF:st,EA,"HTTP/1\.1\x20204\x20No\x20Content\r\nAccess-Control-Allow-Origin
SF::\x20\*\r\nAccess-Control-Allow-Methods:\x20GET,HEAD,PUT,PATCH,POST,DEL
SF:ETE\r\nVary:\x20Access-Control-Request-Headers\r\nContent-Length:\x200\
SF:r\nDate:\x20Fri,\x2020\x20May\x202022\x2017:09:01\x20GMT\r\nConnection:
SF:\x20close\r\n\r\n")%r(RPCCheck,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nConnection:\x20close\r\n\r\n");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.68 seconds

HTTP Headers:

$ nc 192.168.0.102 3000
HEAD / HTTP/1.1

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Thu, 19 May 2022 16:07:26 GMT
ETag: W/"7c3-180dd12ec2e"
Content-Type: text/html; charset=UTF-8
Content-Length: 1987
Vary: Accept-Encoding
Date: Fri, 20 May 2022 16:27:46 GMT
Connection: keep-alive
Keep-Alive: timeout=5

Generate a malformed request:

$ nc 192.168.0.102 3000
GET / TDVG/1.1
HTTP/1.1 400 Bad Request
Connection: close

HTTP OPTIONS:

$ nc 192.168.0.102 3000
OPTIONS / HTTP/1.1

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Vary: Access-Control-Request-Headers
Content-Length: 0
Date: Fri, 20 May 2022 16:39:18 GMT
Connection: keep-alive
Keep-Alive: timeout=5

POKE AROUND THE SITE

• Identify hidden or obfuscated paths and functionality through the analysis of metadata files.
• Extract and map other information that could lead to a better understanding of the systems at hand.
• Review webpage comments, metadata, and redirect bodies to find any information leakage.
• Gather JavaScript files and review the JS code to better understand the application and to find any information leakage.
• Identify if source map files or other front-end debug files exist.


There are several common web hosting files we can investigate to learn more about the target.

/robots.txt

User-agent: *
Disallow: /ftp

/.well-known/security.txt

Contact: mailto:[email protected]
Encryption: https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda
Acknowledgements: /#/score-board
Preferred-languages: en, ar, az, bg, ca, cs, da, de, el, es, et, fi, fr, ka, he, hi, hu, id, it, ja, ko, lv, my, nl, no, pl, pt, ro, ru, si, sv, th, tr, uk, zh
Expires: Fri, 19 May 2023 16:07:21 GMT

Furthermore, we can gather a lot of information by browsing around the site manually.

The “About us” page contains a link to a public FTP folder. There are some really interesting items uploaded here.
The Photo Wall contains images that might have embedded GPS coordinates
The main.js tells us this web application is built using Angular (ng-version)
Trying to access directories that do not exist indicates the application is hosted on Express.

full usernames can be found posted in reviews
[email protected]
[email protected] (pop culture reference to Futurama)
[email protected] (salesman artwork reveals PII)
[email protected] (uses leetspeak in multiple reviews)
[email protected] (pop culture reference: “Fresh out of a replicator.”)
[email protected] (posted lyrics)
[email protected]
[email protected]
[email protected]e-sh.op (a pop culture reference to rick & morty)


SITE ARCHITECTURE

• Understand the architecture of the application and the technologies in use.


Technologies found by browsing the code:

  • HTML/CSS/JavaScript
  • jQuery 2.2.4
  • Cookie Consent 2 v3.1.0

Angular v13.3.6

<app-root _nghost-veh-c263="" ng-version="13.3.6"></app-root>

Express

$ curl -i http://192.168.0.102:3000/ftp/tdvg

<h1>OWASP Juice Shop (Express ^4.17.1)</h1>

nodejs? (implied by Angular + Express)

A REST API (identified via console errors):

ERROR 
{…}
​
error: Object { error: "Unauthenticated user" }
​
headers: Object { normalizedNames: Map(0), lazyUpdate: null, lazyInit: lazyInit() }
​
message: "Http failure response for http://192.168.0.102:3000/rest/chatbot/status: 401 Unauthorized"
​
name: "HttpErrorResponse"
​
ok: false
​
status: 401
​
statusText: "Unauthorized"
​
url: "http://192.168.0.102:3000/rest/chatbot/status"
​
<prototype>: Object { … }
vendor.js:1:708896

It’s important to note that the information gathering phase is also an iterative process. Additional information can be learned throughout the entire lifecycle of a penetration test. Enumeration and exploitation can be especially useful for learning more in-depth information about the system under test.

Speaking of enumeration, check out the next article in this series: Hacking the Juice Shop: Enumeration.