Skip to content

TryHackMe Writeups

Owaspjuiceshop

TryHackMe Writeups

Home
Crackthehash
Cyberadventtemplate
Template
25daysofchristmas
25daysofchristmas
- 25daysofchristmas
AIforcyber aoc2025 y9wWQ1zRgB
AIforcyber aoc2025 y9wWQ1zRgB
- AIforcyber aoc2025 y9wWQ1zRgB
HackfinityBattle
HackfinityBattle
- HackfinityBattle
ICS modbus aoc2025 g3m6n9b1v4
ICS modbus aoc2025 g3m6n9b1v4
- ICS modbus aoc2025 g3m6n9b1v4
Adenumeration
Adenumeration
- Adenumeration
Adv3nt0fdbopsjcap
Adv3nt0fdbopsjcap
- Adv3nt0fdbopsjcap
Adventofcyber2
Adventofcyber2
- Adventofcyber2
Adventofcyber2023
Adventofcyber2023
- Adventofcyber2023
Adventofcyber2024
Adventofcyber2024
- WIP adventofcyber2024
- Adventofcyber2024
Adventofcyber23sidequest
Adventofcyber23sidequest
- Adventofcyber23sidequest
Adventofcyber24sidequest
Adventofcyber24sidequest
- Adventofcyber24sidequest
Adventofcyber25
Adventofcyber25
- Adventofcyber25
Adventofcyber25sidequest
Adventofcyber25sidequest
- Adventofcyber25sidequest
Agentsudoctf
Agentsudoctf
- Agentsudoctf
Anonymous
Anonymous
- Anonymous
Attacks on ecrypted files aoc2025 asdfghj123
Attacks on ecrypted files aoc2025 asdfghj123
- Attacks on ecrypted files aoc2025 asdfghj123
Auditingandmonitoringse
Auditingandmonitoringse
- Auditingandmonitoringse
Authenticationbypass
Authenticationbypass
- Authenticationbypass
Azuresentinel aoc2025 a7d3h9k0p2
Azuresentinel aoc2025 a7d3h9k0p2
- Azuresentinel aoc2025 a7d3h9k0p2
Blaster
Blaster
- Blaster
Blue
Blue
- Blue
Bof1
Bof1
- Bof1
Breachingad
Breachingad
- Breachingad
Breakrsa
Breakrsa
- Breakrsa
Burpsuitebasics
Burpsuitebasics
- Burpsuitebasics
Burpsuiteintruder
Burpsuiteintruder
- Burpsuiteintruder
Burpsuiteom
Burpsuiteom
- Burpsuiteom
Burpsuiterepeater
Burpsuiterepeater
- Burpsuiterepeater
Cloudenum aoc2025 y4u7i0o3p6
Cloudenum aoc2025 y4u7i0o3p6
- Cloudenum aoc2025 y4u7i0o3p6
Codeanalysis
Codeanalysis
- Codeanalysis
Commonlinuxprivesc
Commonlinuxprivesc
- Commonlinuxprivesc
Container security aoc2025 z0x3v6n9m2
Container security aoc2025 z0x3v6n9m2
- Container security aoc2025 z0x3v6n9m2
Contentdiscovery
Contentdiscovery
- Contentdiscovery
Cowboyhacker
Cowboyhacker
- Cowboyhacker
Crackthehash
Crackthehash
- Crackthehash
Cryptographyintro
Cryptographyintro
- Cryptographyintro
Cybergovernanceregulation
Cybergovernanceregulation
- Cybergovernanceregulation
Dastzap
Dastzap
- Dastzap
Dataxexfilt
Dataxexfilt
- Dataxexfilt
Detecting c2 with rita aoc2025 m9n2b5v8c1
Detecting c2 with rita aoc2025 m9n2b5v8c1
- Detecting c2 with rita aoc2025 m9n2b5v8c1
Easyctf
Easyctf
- Easyctf
Encoding decoding aoc2025 s1a4z7x0c3
Encoding decoding aoc2025 s1a4z7x0c3
- Encoding decoding aoc2025 s1a4z7x0c3
Encryptioncrypto101
Encryptioncrypto101
- Encryptioncrypto101
Enumerationpe
Enumerationpe
- Enumerationpe
Exploitingad
Exploitingad
- Exploitingad
Fileinc
Fileinc
- Fileinc
First shift ctf
First shift ctf
- First shift ctf
Htapowershell aoc2025 p2l5k8j1h4
Htapowershell aoc2025 p2l5k8j1h4
- Htapowershell aoc2025 p2l5k8j1h4
Hydra
Hydra
- Hydra
Ice
Ice
- Ice
idor aoc2025 zl6MywQid9
idor aoc2025 zl6MywQid9
- idor aoc2025 zl6MywQid9
Intronetworksecurity
Intronetworksecurity
- Intronetworksecurity
Johntheripper0
Johntheripper0
- Johntheripper0
Kenobi
Kenobi
- Kenobi
Lateralmovementandpivoting
Lateralmovementandpivoting
- Lateralmovementandpivoting
Linprivesc
Linprivesc
- Linprivesc
Linuxcli aoc2025 o1fpqkvxti
Linuxcli aoc2025 o1fpqkvxti
- Linuxcli aoc2025 o1fpqkvxti
Linuxfundamentalspart1
Linuxfundamentalspart1
- Linuxfundamentalspart1
Linuxfundamentalspart2
Linuxfundamentalspart2
- Linuxfundamentalspart2
Linuxfundamentalspart3
Linuxfundamentalspart3
- Linuxfundamentalspart3
Linuxprivesc
Linuxprivesc
- Linuxprivesc
Linuxsystemhardening
Linuxsystemhardening
- Linuxsystemhardening
Malmalintroductory
Malmalintroductory
- Malmalintroductory
malware sandbox aoc2025 SD1zn4fZQt
malware sandbox aoc2025 SD1zn4fZQt
- malware sandbox aoc2025 SD1zn4fZQt
Metasploitexploitation
Metasploitexploitation
- Metasploitexploitation
Meterpreter
Meterpreter
- Meterpreter
Netsecchallenge
Netsecchallenge
- Netsecchallenge
Networkservices aoc2025 jnsoqbxgky
Networkservices aoc2025 jnsoqbxgky
- Networkservices aoc2025 jnsoqbxgky
Obfuscation aoc2025 e5r8t2y6u9
Obfuscation aoc2025 e5r8t2y6u9
- Obfuscation aoc2025 e5r8t2y6u9
Ohsint
Ohsint
- Ohsint
Operatingsystemsecurity
Operatingsystemsecurity
- Operatingsystemsecurity
Owaspjuiceshop
Owaspjuiceshop
- Owaspjuiceshop Owaspjuiceshop
  Table of contents
  - Table of contents
    
    Let's go on an adventure!
    
    Inject the juice
    
    Who broke my lock?!
    
    AH! Don't look!
    
    Who's flying this thing?
    
    Where did that come from?
    
    Exploration!
Owasptop102021
Owasptop102021
- Owasptop102021
Passwordattacks
Passwordattacks
- Passwordattacks
Persistingad
Persistingad
- Persistingad
phishing aoc2025 h2tkye9fzU
phishing aoc2025 h2tkye9fzU
- phishing aoc2025 h2tkye9fzU
Picklerick
Picklerick
- Picklerick
Postexploit
Postexploit
- Postexploit
Powershell
Powershell
- Powershell
Printerhacking101
Printerhacking101
- Printerhacking101
promptinjection aoc2025 sxUMnCkvLO
promptinjection aoc2025 sxUMnCkvLO
- promptinjection aoc2025 sxUMnCkvLO
Race conditions aoc2025 d7f0g3h6j9
Race conditions aoc2025 d7f0g3h6j9
- Race conditions aoc2025 d7f0g3h6j9
Redteamrecon
Redteamrecon
- Redteamrecon
Registry forensics aoc2025 h6k9j2l5p8
Registry forensics aoc2025 h6k9j2l5p8
- Registry forensics aoc2025 h6k9j2l5p8
Rpnessusredux
Rpnessusredux
- Rpnessusredux
Rrootme
Rrootme
- Rrootme
Sast
Sast
- Sast
Seriskmanagement
Seriskmanagement
- Seriskmanagement
Shodan
Shodan
- Shodan
Splunkforloganalysis aoc2025 x8fj2k4rqp
Splunkforloganalysis aoc2025 x8fj2k4rqp
- Splunkforloganalysis aoc2025 x8fj2k4rqp
Spottingphishing aoc2025 r2g4f6s8l0
Spottingphishing aoc2025 r2g4f6s8l0
- Spottingphishing aoc2025 r2g4f6s8l0
Sql injection
Sql injection
- Sql injection
Steelmountain
Steelmountain
- Steelmountain
Thelayoftheland
Thelayoftheland
- Thelayoftheland
Threatmodelling
Threatmodelling
- Threatmodelling
Traverse
Traverse
- Traverse
Uploadvulns
Uploadvulns
- Uploadvulns
Vulnerabilitycapstone
Vulnerabilitycapstone
- Vulnerabilitycapstone
Vulnerabilitymanagementkj
Vulnerabilitymanagementkj
- Vulnerabilitymanagementkj
Vulnversity
Vulnversity
- Vulnversity
Walkinganapplication
Walkinganapplication
- Walkinganapplication
Weaponization
Weaponization
- Weaponization
Webattackforensics aoc2025 b4t7c1d5f8
Webattackforensics aoc2025 b4t7c1d5f8
- Webattackforensics aoc2025 b4t7c1d5f8
Webhackingusingcurl aoc2025 w8q1a4s7d0
Webhackingusingcurl aoc2025 w8q1a4s7d0
- Webhackingusingcurl aoc2025 w8q1a4s7d0
Winadbasics
Winadbasics
- Winadbasics
Windows10privesc
Windows10privesc
- Windows10privesc
Windowsfundamentals1
Windowsfundamentals1
- Windowsfundamentals
Windowsfundamentals2
Windowsfundamentals2
- Windowsfundamentals2
Windowsfundamentals3
Windowsfundamentals3
- Windowsfundamentals3
Windowslocalpersistence
Windowslocalpersistence
- Windowslocalpersistence
Windowsprivesc20
Windowsprivesc20
- Windowsprivesc20
Wiresharkpacketoperations
Wiresharkpacketoperations
- Wiresharkpacketoperations
Wiresharkthebasics
Wiresharkthebasics
- Wiresharkthebasics
Wonderland
Wonderland
- Wonderland
Xss aoc2025 c5j8b1m4t6
Xss aoc2025 c5j8b1m4t6
- Xss aoc2025 c5j8b1m4t6
Yara aoc2025 q9w1e3y5u7
Yara aoc2025 q9w1e3y5u7
- Yara aoc2025 q9w1e3y5u7

OWASP Juice Shop Banner

OWASP Juice Shop Logo

OWASP Juice Shop

This guide contains the answer and steps necessary to get to them for the OWASP Juice Shop room.

Table of contents

Let's go on an adventure!
Inject the juice
Who broke my lock?!
AH! Don't look!
Who's flying this thing?
Where did that come from?
Exploration!

Let's go on an adventure!

Question #1: What's the Administrator's email address?

Clicking one of the products gives us the admin's email address in the review.

Adventure Email

Click for answer
admin@juice-sh.op

Question #2: What parameter is used for searching?

After searching, we can see the parameter in the address bar.

Adventure Search

Click for answer
q

Question #3: What show does Jim reference in his review?

This answer can even be found in the text.

Click for answer
Star Trek

Inject the juice

Question #1: Log into the administrator account!

We can use Burpsuite to intercept and modify the request or we can input in directly into the username field.

Injection Login

Injection Admin

Click for answer
32a5e0f21372bcc1000a6088b93b458e41f0e02a

Question #2: Log into the Bender account!

Now we do the same, but we add the user's email and add '-- to the end.

Injection Login Bender

Injection Bender

Click for answer
fb364762a3c102b2db932069c0e6b78e738d4066

Who broke my lock?!

Question #1: Bruteforce the Administrator account's password!

First lets intercept a login request using the admin's password. And send it to Intruder in Burpsuite.

Lock Request

Now we add a position for the password field. We don't have to do this for the username as we will be using the same for each try.

Lock Positions

Next we add items to try from a wordlist from Seclists (best1050).

Lock Payloads

Now we start the attack and wait for a response status of 200, this should be our password.

Lock Password

Finally, we can log in with the password we found.

Lock Admin

Click for answer
c2110d06dc6f81c67cd8099ff0ba601241f1ac0e

Question #2: Reset Jim's password!

For this we can simply answer the security question with the answer from the text.

Lock Reset

Lock Jim

Click for answer
094fbc9b48e525150ba97d05b942bbf114987257

AH! Don't look!

Question #1: Access the Confidential Document!

Looking at the url for the legal document, we can access the ftp server directly.

Look Ftp

From here we get a flag for accessing secret documents.

Look Flag

Click for answer
edf9281222395a1c5fee9b89e32175f1ccf50c5b

Question #2: Log into MC SafeSearch's account!

After watching the clip (or using the text) we can log into Mc Safe Search's account.

Look Mcsafe Login

Click for answer
66bdcffad9e698fd534003fbb3cc7e2b7b55d7f0

Question #3: Download the Backup file!

Using the Poison Null Byte as suggested, we can bypass the file extension restriction and download the backup file.

10.10.204.165/ftp/package.json.bak%2500.md

Look Backup

Click for answer
bfc1e6b4a16579e85e06fee4c36ff8c02fb13795

Who's flying this thing?

Question #1: Access the administration page!

Looking at the javascript in the debugger we see this mention of an administration panel.

Flying Admin

Logging into the admin account with our previously found credentials and navigating to #/administration gives us access to the admin panel.

Flying Admin Panel

Click for answer
946a799363226a24822008503f5d1324536629a0

Question #2: View another user's shopping basket!

First we capture the request and change the basket number to something else.

Flying Request

This lets us view another user's basket.

Flying Basket

Click for answer
41b997a36cc33fbe4f0ba018474e19ae5ce52121

Question #3: Remove all 5-star reviews!

Under the feedback column, we can delete a five-start review.

Flying Remove

Flying Flag

Click for answer
50c97bcce0b895e446d61c83a21df371ac2266ef

Where did that come from?

Question #1: Perform a DOM XSS!

For our first XSS attack we use the following code in the search bar.

<iframe src="javascript:alert(`xss`)">

Where DOM

Click for answer
9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf

Question #2: Perform a persistent XSS!

For this XSS attack we enable intercept in Burpsuite and log out of our account. In this request we head the following header.

True-Client-IP: <iframe src="javascript:alert(`xss`)">

Where Header

Now we can log back in again and go to the last login ip page.

Where IP

Click for answer
149aa8ce13d7a4a8a931472308e269c94dc5f156

Question #3: Perform a reflected XSS!

For this final XSS attack we navigate to the order history page and click on the track button.

Where Order

Now we can cange the id parameter in the URL with:

 ```cmd
<iframe src="javascript:alert(`xss`)">

Where Flag

Click for answer
23cefee1527bde039295b2616eeb29e1edc660a0

Exploration!

Access the /#/score-board/ page

This can si,ply be found by navigating to the /#/score-board/ page.

Click for answer
7efd3174f9dd5baa03a7882027f2824d2f72d86e