Information
Room#
- Name: OWASP Top 10
- Profile: tryhackme.com
- Difficulty: Easy
- Description: Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks.
Write-up
Overview#
Install tools used in this WU on BlackArch Linux:
1 | $ sudo pacman -S exploitdb dbeaver python |
[Day 1] Command Injection Practical#
#1#
What strange text file is in the website root directory?
Answer: drpepper.txt
Issue the ls
command to list files.
1 | css drpepper.txt evilshell.php index.php js |
#2#
How many non-root/non-service/non-daemon users are there?
Answer: 0
Issue the cat /etc/passwd
command, it seems there is no
non-root/non-service/non-daemon users.
1 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin |
#3#
What user is this app running as?
Answer: www-data
Issue the id
command.
1 | uid=33(www-data) gid=33(www-data) groups=33(www-data) |
#4#
What is the user's shell set as?
Answer:
/usr/sbin/nologin
echo $SHELL
returns nothing, so let's try
cat /etc/passwd | grep www-data | cut -d ':' -f 7
.
1 | /usr/sbin/nologin |
#5#
What version of Ubuntu is running?
Answer: 18.04.4
Run cat /etc/os-release
.
1 | VERSION="18.04.4 LTS (Bionic Beaver)" |
#6#
Print out the MOTD. What favorite beverage is shown?
Answer: DR PEPPER
1 | $ ls -1 /etc/update-motd.d/ |
[Day 2] Broken Authentication Practical#
#1#
What is the flag that you found in darren's account?
Register as darren
and log in.
Answer:
fe86079416a21a3c99937fea8874b667
#3#
What is the flag that you found in arthur's account?
Register as arthur
and log in.
Answer:
d9ac0f7db4fda460ac3edeb75d75e16e
[Day 3] Sensitive Data Exposure (Challenge)#
#1#
Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory.
What is the name of the mentioned directory?
Answer:
/assets
#2#
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Answer:
webapp.db
#3#
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Answer:
6eea9b7ef19179a06954edd0f6c05ceb
Open the DB with dbeaver.
#4#
Crack the hash. What is the admin's plaintext password?
Answer:
qwertyuiop
Crack the password with crackstation.
#5#
Login as the admin. What is the flag?
Answer:
THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
[Day 4] XML External Entity - eXtensible Markup Language#
#1#
Full form of XML
Answer:
eXtensible Markup Language
#2#
Is it compulsory to have XML prolog in XML documents?
Answer: no
#3#
Can we validate XML documents against a schema?
Answer: yes
4#
How can we specify XML version and encoding in XML document?
Answer: XML Prolog
[Day 4] XML External Entity - DTD#
#1#
How do you define a new ELEMENT?
Answer:
!ELEMENT
#2#
How do you define a ROOT element?
Answer:
!DOCTYPE
#3#
How do you define a new ENTITY?
Answer:
!ENTITY
[Day 4] XML External Entity - Exploiting#
#3#
What is the name of the user in /etc/passwd
Answer: falcon
#4#
Where is falcon's SSH key located?
Answer:
/home/falcon/.ssh/id_rsa
#5#
What are the first 18 characters for falcon's private key
Answer:
MIIEogIBAAKCAQEA7b
[Day 5] Broken Access Control (IDOR Challenge)#
#3#
Look at other users notes. What is the flag?
http://10.10.125.211/note.php?note=0
Answer:
flag{fivefourthree}
[Day 6] Security Misconfiguration#
#2#
Hack into the webapp, and find the flag!
https://github.com/NinjaJc01/PensiveNotes
Answer:
thm{4b9513968fd564a87b28aa1f9d672e17}
[Day 7] Cross-site Scripting#
#2#
Go to http://10.10.93.135/reflected and craft a reflected XSS payload that will cause a popup saying "Hello".
Answer:
ThereIsMoreToXSSThanYouThink
1 | <script>alert("Hello")</script> |
#3#
On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
1 | <script>alert(window.location.hostname)</script> |
Answer:
ReflectiveXss4TheWin
#4#
Now navigate to http://10.10.93.135/stored and make an account.
Then add a comment and see if you can insert some of your own HTML.
1 | <b>noraj is bold</b> |
Answer:
HTML_T4gs
#5#
On the same page, create an alert popup box appear on the page with your document cookies.
1 | <script>alert(document.cookies)</script> |
Answer:
W3LL_D0N3_LVL2s
#6#
Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.
1 | <script>document.querySelector("#thm-title").textContent = "I am a hacker"</script> |
Answer:
websites_can_be_easily_defaced_with_xss
[Day 8] Insecure Deserialization#
#1#
Who developed the Tomcat application?
Answer:
The Apache Software Fundation
#2#
What type of attack that crashes services can be performed with insecure deserialization?
Answer:
denial of service
[Day 8] Insecure Deserialization - Objects#
#1#
Select the correct term of the following statement:
Answer:
A Behaviour
[Day 8] Insecure Deserialization - Deserialization#
#1#
What is the name of the base-2 formatting that data is sent across a network as?
Answer:
binary
[Day 8] Insecure Deserialization - Cookies#
#1#
If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
Answer:
webapp.com/login
#2#
What is the acronym for the web technology that Secure cookies work over?
Answer:
HTTPS
[Day 8] Insecure Deserialization - Cookies Practical#
#1#
1st flag (cookie value)
Answer:
THM{good_old_base64_huh}
1 | $ printf %s 'gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAYzdkYzQ0ODM4ZTA4NDdiMWI0NTU0NDk0OGE5MmQxOTRxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==' | base64 -d |
#2#
2nd flag (admin dashboard)
Answer:
THM{heres_the_admin_flag}
[Day 8] Insecure Deserialization - Remote Code Execution#
#1#
flag.txt
Answer:
4a69a7ff9fd68
[Day 9] Components With Known Vulnerabilities - Lab#
How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)
Answer: 1611
1 | $ searchsploit CSE bookstore |
[Day 10] Insufficient Logging and Monitoring#
What IP address is the attacker using?
Answer:
49.99.13.16
What kind of attack is being carried out?
Answer:
brute force