Challenge hunting

This part of the book can be read from end to end as a hacking guide. Used in that way you will be walked through various types of web vulnerabilities and learn how to exploit their occurrences in the E. Corp Shop application. Alternatively you can start hacking the E. Corp Shop on your own and use this part simply as a reference and source of hints in case you get stuck at a particular challenge.

In case you want to look up hints for a particular challenge, the following tables lists all challenges of the E. Corp Shop grouped by their difficulty and in the same order as they appear on the Score Board.

Trivial Challenges ( 🌟 )

Challenge	Description	Hints	Solution
Admin Section	Access the administration section of the store.	💡	🏆
Confidental Document	Access a confidential document.	💡	🏆
Error Handling	Provoke an error that is not very gracefully handled.	💡	🏆
Redirects Tier 1	Let us redirect you to a donation site that went out of business.	💡	🏆
Score Board	Find the carefully hidden 'Score Board' page.	💡	🏆
XSS Tier 1	Perform a reflected XSS attack with <script>alert("XSS")</script>.	💡	🏆
Zero Stars	Give a devastating zero-star feedback to the store.	💡	🏆

Easy Challenges ( 🌟🌟 )

Challenge	Description	Hints	Solution
Basket Access	Access someone else's basket.	💡	🏆
Christmas Special	Order the Christmas special offer of 2014.	💡	🏆
Deprecated Interface	Use a deprecated B2B interface that was not properly shut down.	💡	🏆
Five-Star Feedback	Get rid of all 5-star customer feedback.	💡	🏆
Login Admin	Log in with the administrator's user account.	💡	🏆
Login MC SafeSearch	Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass.	💡	🏆
Password Strength	Log in with the administrator's user credentials without previously changing them or applying SQL Injection.	💡	🏆
Weird Crypto	Inform the shop about an algorithm or library it should definitely not use the way it does.	💡	🏆

Medium Challenges ( 🌟🌟🌟 )

Challenge	Description	Hints	Solution
Blockchain Tier 1	Learn about the Token Sale before its official announcement.	💡	🏆
Forged Feedback	Post some feedback in another users name.	💡	🏆
Forgotten Sales Backup	Access a salesman's forgotten backup file.	💡	🏆
Login Bender	Log in with Bender's user account.	💡	🏆
Login Jim	Log in with Jim's user account.	💡	🏆
Payback Time	Place an order that makes you rich.	💡	🏆
Product Tampering	Change the href of the link within the O-Saft product description into http://kimminich.de.	💡	🏆
Reset Jim's Password	Reset Jim's password via the Forgot Password mechanism with the truthful answer to his security question.	💡	🏆
Upload Size	Upload a file larger than 100 kB.	💡	🏆
Upload Type	Upload a file that has no .pdf extension.	💡	🏆
XSS Tier 2	Perform a persisted XSS attack with <script>alert("XSS")</script> bypassing a client-side security mechanism.	💡	🏆
XSS Tier 3	Perform a persisted XSS attack with <script>alert("XSS")</script> without using the frontend application at all.	💡	🏆
XXE Tier 1	Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server.	💡	🏆

Hard Challenges ( 🌟🌟🌟🌟 )

Challenge	Description	Hints	Solution
CSRF	Change Bender's password into slurmCl4ssic without using SQL Injection.	💡	🏆
Easter Egg Tier 1	Find the hidden easter egg.	💡	🏆
Easter Egg Tier 2	Apply some advanced cryptanalysis to find the real easter egg.	💡	🏆
Eye Candy	Travel back in time to the golden era of web design.	💡	🏆
Forgotten Developer Backup	Access a developer's forgotten backup file.	💡	🏆
Login Bjoern	Log in with Bjoern's user account without previously changing his password, applying SQL Injection, or hacking his Google account.	💡	🏆
Misplaced Signature File	Access a misplaced SIEM signature file.	💡	🏆
NoSQL Injection Tier 1	Let the server sleep for some time. (It has done more than enough hard work for you)	💡	🏆
NoSQL Injection Tier 2	Update multiple product reviews at the same time.	💡	🏆
Redirects Tier 2	Wherever you go, there you are.	💡	🏆
Reset Bender's Password	Reset Bender's password via the Forgot Password mechanism with the truthful answer to his security question.	💡	🏆
Typosquatting Tier 1	Inform the shop about a typosquatting trick it has become victim of. (Mention the exact name of the culprit)	💡	🏆
User Credentials	Retrieve a list of all user credentials via SQL Injection	💡	🏆
Vulnerable Library	Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)	💡	🏆
XSS Tier 4	Perform a persisted XSS attack with <script>alert("XSS")</script> bypassing a server-side security mechanism.	💡	🏆

Dreadful Challenges ( 🌟🌟🌟🌟🌟 )

Challenge	Description	Hints	Solution
CAPTCHA Bypass	Submit 10 or more customer feedbacks within 10 seconds.	💡	🏆
Extra Language	Retrieve the language file that never made it into production.	💡	🏆
JWT Issues Tier 1	Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op.	💡	🏆
Login CISO	Exploit OAuth 2.0 to log in with the Chief Information Security Officer's user account.	💡	🏆
RCE Tier 1	Perform a Remote Code Execution that would keep a less hardened application busy forever.	💡	🏆
Reset Bjoern's Password	Reset Bjoern's password via the Forgot Password mechanism with the truthful answer to his security question.	💡	🏆
Reset Morty's Password	Reset Morty's password via the Forgot Password mechanism with his obfuscated answer to his security question.	💡	🏆
Retrieve Blueprint	Deprive the shop of earnings by downloading the blueprint for one of its products	💡	🏆
Typosquatting Tier 2	Inform the shop about a more literal instance of typosquatting it fell for. (Mention the exact name of the culprit)	💡	🏆
XXE Tier 2	Give the server something to chew on for quite a while.	💡	🏆

Diabolic Challenges ( 🌟🌟🌟🌟🌟🌟 )

Challenge	Description	Hints	Solution
Forged Coupon	Forge a coupon code that gives you a discount of at least 80%.	💡	🏆:
Imaginary Challenge	Solve challenge #99. Unfortunately, this challenge does not exist.	💡	🏆
JWT Issues Tier 2	Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.	💡	🏆
Login Support Team	Log in with the support team's original user credentials without applying SQL Injection or any other bypass.	💡	🏆
Premium Paywall	Unlock Premium Challenge to access exclusive content.	💡	🏆
RCE Tier 2	Perform a Remote Code Execution that occupies the server for a while without using infinite loops.	💡	🏆