1. Home
  2. Training Library
  3. Web Penetration Testing with Juice Shop

Decrypting Passwords from Cookies

Start course
Overview
Difficulty
Intermediate
Duration
2h 6m
Students
13
Description

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.

Transcript

Hi. Within this lecture, we're going to solve that challenge that asks us to log in with the administrator account but without applying any SQL injection. So, that's a tough one because we need to find the password of the administrator account as well. Right now, we have the email of the administrator account. We have seen this when we actually applied SQL injection but we couldn't find any passwords. We're going to see how to find it right now. So first of all, let me come back here and we can actually find this with a couple of ways, I believe. We can try to brute force here because we already know the email right now.

But I don't know if the brute forcing is going to be easy or not because as you might remember. We are using the community edition. An intruder takes a lot of time to apply this. So, I'm going to just test a little bit different thing. I'm going to log in with the administrator account one more time using SQL injection like we did in the previous lecture. So, let me come over here to Account. We can see the email. And if we inspect the element in the Firefox, we can come back to this Storage thing where we have seen the Cookies before. So, I'm going to try and crack this Cookie to find the password of the administrator account. I don't even know if this is going to work.

Maybe we're going to have to brute force it eventually but it's worth a shot. So, if you come over here to Cookies, as you can see, there is a token in this. So, this token might contain the username and password of the user, current user. So, if you come over here to token, if you click on it, you can see the value at the right hand side. So, if you look over here to the value of this token, we can see the details. So, they seem to be hashed. But we can try to crack this hash with some kind of help from the decoders. So, what I'm going to do? I'm going to take this token value from here and try to decrypt it. So, most of the websites use JSON tokens and they encrypt it. And it's good.

But sometimes, we can actually easily correct this. So, what I'm going to do? I'm going to take the value from here. So, I believe you can double click on this, the value site and just copy this. So, let me double click on that and try to copy all of the things over here. I believe you can just do select like that or you can do ctrl +A and copy. That way, it will be copied to your clipboard and then I'm going to go to google.com in which I will just search for JSON. Let me just show you, token decrypt or token decode. So, it will just take us to a website where we can decode the JSON Web Tokens. So, this is the technology that this site use and many other websites use as well.

So, they're using JSON Web Tokens and you can just use any page that you want. I'm using jwt.io apparently. And as you can see, if you give the encoded thing over there, like the encoded JSON Web Token. So, I'm going to paste it. You can see the decoded at the right hand side. So, it's already decoded it. So, make sure you get the right thing from the value and you can see the decoded thing over there. As you can see, we can see the email and we can see the password. But we can see the role. We can see the other things here as well. So, this password is probably hashed as well. I'm going to try it. I'm going to just copy this. And I'm just going to try and log in with this but most probably, it's hashed. So, actually this is a good place for security over here because it's hashed. but it's most probably, it's not very secure because we will try to crack it and most probably, we will succeed. Otherwise, it won't be in the challenges. So, let me copy this. And first of all, I'm going to try and see if this is the plain password text. If this is, then we can just log in with this email and this password. We know the email and we know the password. All you have to do is just go back to your Juice Shop and log out and try and log in with this password. So, let's do that. Let me come over here.

Let me close this down and because we are done with this, let me log out and let me try to log in one more time. So, email is admin@juice-sh.op and for the password, I'm going to paste the thing that I have copied withI ctrl + v. So, let's make sure I copy the writing and pasted the writing. Let me delete this and do it one more time. And here we go. Now, we're doing it. If you login, it says that invalid email or password. So, it's understandable because I didn't expect it to be that easy. It should be hashed. I'm going to open a new terminal over here to see what kind of hashing they are using. So in order to do that, you can use hash-identifier.

So, this is a tool that comes preinstalled with Kali Linux. So, just write hash - and the identifier and paste the thing that you want to identify over there. So, make sure you copy this. And paste it over there with ctrl + v or just right click and hit Enter. And as you can see, you can see it's most probably, it's md5. We get the other possible things over here as well but we have seen a lot of md5s over here. So, most probably it's md5 hashed. So, I'm going to go to google.com and I believe we can do this in the Burp Suite but I'm not certain. So, I'm just going to come over here and say md5 decrypt online or something like that because there are a lot of websites that you can do this with.

So, I'm using md5online.org. You can just use anything you want. So, I'm going to paste the thing that we have copied if it stops loading advertorials for us. So, I'm going to paste this. And I'm going to click the Decrypt Button as long as it gets loaded. And here you go. Now, we see the password. So, in plain text, it's admin123 and it's really easy. I know but we did like two descriptions in order to get this. So, let's try this and see if this works. I'm going to say admin123 in the password. And if we log in, here you go. Now, we solve this challenge successfully. We logged in with the administrator without doing any SQL injection. So, this is fine. We solved this challenge as well.

So, another thing over here. Let me go back to second stars, two stars. Another thing over here is, I believe has to do something with defining the administrator dashboard. So, let me come back and see if we can see anything like that because I know that we have to have some kind of an administrator dashboard and we couldn't find it in the previous lecture. And I believe we have to find it to solve some of these lectures or some of these challenges over there. I believe this is the one. Get rid of all 5-star customer feedbacks. Let's try and see. Let's try to find the administrator dashboard in the next lecture.

About the Author
Students
899
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.