Challenge hunting
This part of the book can be read from end to end as a hacking guide. Used in that way you will be walked through various types of web vulnerabilities and learn how to exploit their occurrences in the E. Corp Shop application. Alternatively you can start hacking the E. Corp Shop on your own and use this part simply as a reference and source of hints in case you get stuck at a particular challenge.
In case you want to look up hints for a particular challenge, the following tables lists all challenges of the E. Corp Shop grouped by their difficulty and in the same order as they appear on the Score Board.
Trivial Challenges ( 🌟 )
Challenge
Description
Hints
Solution
Admin Section
Access the administration section of the store.
Confidental Document
Access a confidential document.
Error Handling
Provoke an error that is not very gracefully handled.
Redirects Tier 1
Let us redirect you to a donation site that went out of business.
Score Board
Find the carefully hidden 'Score Board' page.
XSS Tier 1
Perform a reflected XSS attack with <script>alert("XSS")</script>.
Zero Stars
Give a devastating zero-star feedback to the store.
Easy Challenges ( 🌟🌟 )
Challenge
Description
Hints
Solution
Basket Access
Access someone else's basket.
🏆
Christmas Special
Order the Christmas special offer of 2014.
Deprecated Interface
Use a deprecated B2B interface that was not properly shut down.
Five-Star Feedback
Get rid of all 5-star customer feedback.
Login Admin
Log in with the administrator's user account.
Login MC SafeSearch
Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass.
Password Strength
Log in with the administrator's user credentials without previously changing them or applying SQL Injection.
Weird Crypto
Inform the shop about an algorithm or library it should definitely not use the way it does.
Medium Challenges ( 🌟🌟🌟 )
Challenge
Description
Hints
Solution
Blockchain Tier 1
Learn about the Token Sale before its official announcement.
Forged Feedback
Post some feedback in another users name.
Forgotten Sales Backup
Access a salesman's forgotten backup file.
Login Bender
Log in with Bender's user account.
Login Jim
Log in with Jim's user account.
Payback Time
Place an order that makes you rich.
Product Tampering
Reset Jim's Password
Reset Jim's password via the Forgot Password mechanism with the truthful answer to his security question.
Upload Size
Upload a file larger than 100 kB.
Upload Type
Upload a file that has no .pdf extension.
XSS Tier 2
Perform a persisted XSS attack with <script>alert("XSS")</script> bypassing a client-side security mechanism.
XSS Tier 3
Perform a persisted XSS attack with <script>alert("XSS")</script> without using the frontend application at all.
XXE Tier 1
Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server.
Hard Challenges ( 🌟🌟🌟🌟 )
Challenge
Description
Hints
Solution
CSRF
Change Bender's password into slurmCl4ssic without using SQL Injection.
Easter Egg Tier 1
Find the hidden easter egg.
Easter Egg Tier 2
Apply some advanced cryptanalysis to find the real easter egg.
Eye Candy
Travel back in time to the golden era of web design.
Forgotten Developer Backup
Access a developer's forgotten backup file.
Login Bjoern
Log in with Bjoern's user account without previously changing his password, applying SQL Injection, or hacking his Google account.
Misplaced Signature File
Access a misplaced SIEM signature file.
NoSQL Injection Tier 1
Let the server sleep for some time. (It has done more than enough hard work for you)
NoSQL Injection Tier 2
Update multiple product reviews at the same time.
Redirects Tier 2
Wherever you go, there you are.
Reset Bender's Password
Reset Bender's password via the Forgot Password mechanism with the truthful answer to his security question.
Typosquatting Tier 1
Inform the shop about a typosquatting trick it has become victim of. (Mention the exact name of the culprit)
User Credentials
Retrieve a list of all user credentials via SQL Injection
Vulnerable Library
Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)
XSS Tier 4
Perform a persisted XSS attack with <script>alert("XSS")</script> bypassing a server-side security mechanism.
Dreadful Challenges ( 🌟🌟🌟🌟🌟 )
Challenge
Description
Hints
Solution
CAPTCHA Bypass
Submit 10 or more customer feedbacks within 10 seconds.
Extra Language
Retrieve the language file that never made it into production.
JWT Issues Tier 1
Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op.
Login CISO
Exploit OAuth 2.0 to log in with the Chief Information Security Officer's user account.
RCE Tier 1
Perform a Remote Code Execution that would keep a less hardened application busy forever.
Reset Bjoern's Password
Reset Bjoern's password via the Forgot Password mechanism with the truthful answer to his security question.
Reset Morty's Password
Reset Morty's password via the Forgot Password mechanism with his obfuscated answer to his security question.
Retrieve Blueprint
Deprive the shop of earnings by downloading the blueprint for one of its products
Typosquatting Tier 2
Inform the shop about a more literal instance of typosquatting it fell for. (Mention the exact name of the culprit)
XXE Tier 2
Give the server something to chew on for quite a while.
Diabolic Challenges ( 🌟🌟🌟🌟🌟🌟 )
Challenge
Description
Hints
Solution
Forged Coupon
Forge a coupon code that gives you a discount of at least 80%.
Imaginary Challenge
Solve challenge #99. Unfortunately, this challenge does not exist.
JWT Issues Tier 2
Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.
Login Support Team
Log in with the support team's original user credentials without applying SQL Injection or any other bypass.
Premium Paywall
Unlock Premium Challenge to access exclusive content.
RCE Tier 2
Perform a Remote Code Execution that occupies the server for a while without using infinite loops.
Last updated