OWASP top10
This blog contains my walkthrough of the OWASP room in tryhackme while trying to learn more about cyber security. Check out the original room as well here.
Injection
Task 5: Command Injection Practical
What strange text file is in the website root directory?
Simply enter
ls
The console will display multiple file names, out of which the most probably answer is drpepper.txt
How many non-root/non-service/non-daemon users are there?
Enter
cat /etc/passwd
This will list a bunch of users and other information. I will go over it one by one.
Firstly, the command is used to list the users that are locally stored in the system. The structure of each output is
user_name:encrypter_password:user_ID:user_group_ID:full_name:user_home_directory:user_bash_shell
Now, a normal user has UID $\geq$ 1000. Hence all the other users are system users. As we can see, all the IDs mentioned are below 1000, hence we get the answer as 0
Read more about this here.
What user is the app running as?
Enter
whoami
As can be seen, the answer is www-data
What is the user’s shell set as?
Again, enter
cat /etc/passwd
Now, you look at the user_bash_shell of www-data
and we see that the answer is /usr/sbin/nologin
What version of Ubuntu is running?
Enter
hostnamectl
It will display a bunch of information about the OS the server is running on. Answer is 18.04.4
Print out the MOTD. What favorite beverage is shown?
Thew way I figured out the answer is simply by thinking that the name of strange text file was drpepper.txt
. The name fit the answer so well :p
For a proper answer which I then googled for:
Enter
ls /etc/update-motd.d/
cat /etc/update-motd.d/00-header
The last line of the output talks about Dr Pepper
hence that is the answer.
Broken Authentication
Task 7: Broken Authentication Practical
What is the flag you find in darren’s account?
Do as is mentioned, and once you log in you will see the flag fe86079416a21a3c99937fea8874b667
Now try to do the same trick and see if you can login as arthur
Yes, you can
What is the flag that you found in arthur’s account?
d9ac0f7db4fda460ac3edeb75d75e16e
Sensitive Data Exposure
Task 11: Sensitive Data Exposure (Challenge)
What is the name of the mentioned directory
Since I thought they have mentioned the directory in the source code, I checked it but did not find anything in the main page. Then on going to the Log-In page I found /assets
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Go to http://MACHINE_IP/assets/
. Here, we can see all the files and directories from which the answer is webapp.db
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Download webapp.db
. Then use the commands
sqlite3 webapp.db
Once that is done, use the following commands
> .tables
> pragma table_info(users);
> select * from users;
The answer is 6eea9b7ef19179a06954edd0f6c05ceb
Crack the hash.
Go to crackstation as mentioned in the material and crack the password. The answer is qwertyuiop
Log in as the admin, what is the flag?
Use the credentials you have, the answer is THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
XML External Entity
Task 13: eXtensible Markup Language
Full form of XML
Extensible Markup Language
is it compulsory to have XML prolog in XML documents?
no
Can we validate XML documents against a schema?
yes
How can we specify XML version and encoding in XML document?
XML prolog
Document Type Definition (DTD)
How do you define a new ELEMENT?
!ELEMENT
How do you define a ROOT element?
!DOCTYPE
How do you define a new ENTITY?
!ENTITY
Task 16: Exploiting
Try to display your own name using any payload.
Enter
<!DOCTYPE replace [<!ENTITY name "feast"> ]>
<userInfo>
<firstName>falcon</firstName>
<lastName>&name;</lastName>
</userInfo>
See if you can read the /etc/passwd
Enter
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
What is the name of the user in /etc/passwd?
This can be determined by the output of the previous question. The answer is falcon
Where is falcon’s SSH key located?
This was fairly simple to do. It is known that ssh keys are stored in either .ssh/id_rsa
or .ssh/id_rsa.pub
based on whether you need public or private key. As the next question asks for private key, we get the answer as /home/falcon/.ssh/id_rsa
What are the first 18 characters for falcon’s private key?
Simple enough, just use the location mentioned in previous answers and cat the file. Answer is MIIEogIBAAKCAQEA7
Broken Access Control
Task 18: IDOR Challenge
Look at other users notes. What is the flag?
There are better methods to do thus (using Burpsuite) but since I did not know about it when I started this challenge, I just had to luck out by getting the answer at note=0
Security Misconfiguration
Task 19: Security Misconfiguration
Hack into the webapp, and find the flag!
So the first thing I did was go through the source code, but I couldnt find any comment of sorts there. Next, I thought to check it out in exploit db, but there too I did not get a good answer. I googled about then I found out that the answer was mentioned in its github page
Cross-site Scripting
Cross-site Scripting
Craft a reflected XSS payload that will cause a popup saying “Hello”
The answer is simple enough
<script>alert('Hello')</script>
On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine’s IP address.
Google around the command to display your machines IP address in JS, after which enter
<script>alert(windows.location.host)</script>
Then add a comment and see if you can insert some of your own HTML
You can enter any HTML code you want.
<html>
<body>
<p> Hi </p>
</body>
</html>
On the same page, create an alert popup box appear on the page with your document cookies.
Again, google around on how to display cookies in JS, then just write down the command:
<script>alert(document.cookies)</script>
Change “XSS Playground” to “I am a hacker” by adding a comment and using JS.
Go to the source code and figure out the document id of the element which has the title stored. Then use simple JS to change the heading (or use the hint :p)
<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
Insecure Deserialization
Task 21: Insecure Deserialization
Who developed the Tomcat application?
Google around, I initially got the answer as a single person who was responsible for it, but then you get The Apache Software Foundation
What type of attack that crashes services can be performed with insecure deserialisation?
DOS, or Denial of Service
Task 25: Cookies Practical
1st flag (cookie value)
Follow the instructions mentioned in the text. The cookie value is base64 encoded, hence just use a normal base64 decoder to get the value of the cookies
2nd flag (admin dashboard)
Simply change the value of userType="admin"
.
Components with Known Vulnerabilities
Task 29: Lab
How many characters are in /etc/passwd
Go to exploit DB and see if you can find any exploits for CSE Bookstore
or projectworld
which will give us remote shell access. As we can see, there is one.
Now, we just download them and run the script to execute it. There is sufficient documentation to know how to execute the command
python3 47887.py http://machine_ip/
wc -c /etc/passwd
Insuffecient Logging and Monitoring
Task 30: Insuffecient Logging and Monitoring
What IP address is the attacker using?
Look at the IP adress which is used the most and is unauthorised. As can bee seen, the answer is 49.99.13.16
What kind of attack is being carried out?
From what can be seen, different usernames are used in each request. Also, using the hint, we can find out that the answer is Brute Force