Tryhackme -OWASP Top 10 25/09/2021

Command Injection What strange text file is in the website root directory?

A strange text file in the website root directory: I used < ls > to see the directory list

drpepper.txt 

is a strange text file.

How many non-root/non-service/non-daemon users are there?

We can use the command:

cat /etc/passwd | cut -d: -f1 i

It will show just first word of each line,

I more detail about command check this link.: LinuxHandBook

0

What user is this app running as?

The user of the app:

whoami or id command will help to find info

The answer for this is

www-data

What is the user's shell set as?

I used id to find the user id. Which is 33. id prints the current user-id and group-id.

And then I used cat /etc/passwd/ to print all the list of user information.

or you can just use

cat /etc/passwd

It will show everything inside passwd file, and we already know what the username is.

/usr/sbin/nologin.

What version of Ubuntu is running?

This command prints Os version.

cat /etc/os-release

can print comprehensive information on the Operating System.

or you can just use

lsb_release -a

Here we see the version as

18.04.4.

Print out the MOTD. What favorite beverage is shown?

Dr Pepper 

Broken Authentication

What is the flag that you found in darren's account?

fe86079416a21a3c99937fea8874b667

What is the flag that you found in arthur's account?

d9ac0f7db4fda460ac3edeb75d75e16e

Sensitive Data Exposure

What is the name of the mentioned directory?

Click on Login link. then inspect webpage, it will show info about webpage. There we could see what is mentioned.

/assets

DB File:

As I knew there is a directory inside the website "/assets". I just added that to URL. in there I could see webapp.db, a database file.

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

webapp.db

Sensitive Data:

Just click on "webapp.db" and save it. Just for future use.

we can open this with sqlite3 and check what it has.

I never had worked with SQL before, so word of advice, remember "; " at the end of each command. Otherwise, SQL thinks you still have something to add in command.

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

6eea9b7ef19179a06954edd0f6c05ceb

Admin Password:

I used the website Crackstation mentioned in the given material to crack the password hash.

Its clear that its whole first line of qwerty keyboard.

Crack the hash.

What is the admin's plaintext password?

qwertyuiop

Admin Flag:

Login as the admin. What is the flag?

THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

XML External Entity

[Severity 4 XML External Entity - eXtensible Markup Language

Full form of XML

Extensible Markup Language

Is it compulsory to have XML prolog in XML documents?

no

Can we validate XML documents against a schema?

yes

How can we specify XML version and encoding in XML document?

XML prolog

[Severity 4] XML External Entity - DTD

How do you define a new ELEMENT?

!ELEMENT

How do you define a ROOT element?

!DOCTYPE

How do you define a new ENTITY?

!ENTITY

[Severity 4] XML External Entity - Exploiting

What is the name of the user in /etc/passwd

falcon

Where is falcon's SSH key located?

/home/falcon/.ssh/id_rsa

What are the first 18 characters for falcon's private key

MIIEogIBAAKCAQEA7

Broken Access Control

[Severity 5] Broken Access Control (IDOR Challenge)

Look at other users notes. What is the flag?

flag{fivefourthree}

[Severity 6] Security Misconfiguration

Hack into the webapp, and find the flag!

thm{4b9513968fd564a87b28aa1f9d672e17}

Cross-site Scripting

[Severity 7] Cross-site Scripting

Navigate to http://Machine/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".

<script>alert("Hello World")</script>

ThereIsMoreToXSSThanYouiThink

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

I copied XSS script from this link and edited it after my need "https://github.com/payloadbox/xss-payload-list"

ReflectiveXss4TheWin

'`"><\x00script>javascript:alert("window.location.hostname")</script>

Now navigate to http://10.10.*.*/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.

Then add a comment and see if you can insert some of your own HTML.

HTML_T4gs

On the same page, create an alert popup box appear on the page with your document cookies.

W3LL_D0N3_LVL2

"><s"%2b"cript>alert(document.cookie)</script>

this script will print out document.cookie and at the end prints out answer in comment field.

you can also use

test" onmouseover="alert(document.cookie)"

to get your answer,

Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.

<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>

websites_can_be_easily_defaced_with_xss

Insecure Deserialization

[Severity 8] Insecure Deserialization

Who developed the Tomcat application?

The Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialization?

Denial of Service

[Severity 8] Insecure Deserialization - Deserialization

Select the correct term of the following statement:

if a dog was sleeping, would this be:

A) A State <-- data, in this case, dogs food can be a state, B) A Behaviour <-- action, dog eating food is a behavior.

A Behavior

[Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

binary

[Severity 8] Insecure Deserialization - Cookies

If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

webapp.com/login

What is the acronym for the web technology that Secure cookies work over?

HTTPS

[Severity 8] Insecure Deserialization - Cookies Practical

1st flag (cookie value)

frist flag is inside cookies, only thing needed is to decode that base64 code.

2nd flag (admin dashboard)

and change http://ip into http://ip/admin this will show your flag on admin page.

THM{heres_the_admin_flag} 

[Severity 8] Insecure Deserialization - Code Execution

downloaded the script from the link and changed according to my VPN need.

copied 64base value and added to cookies value inside Inspected elemet/ encodedpayload

I had already open listening with netcat on port 4444,

after I reloaded the page on the website I got connected to the Terminal "Shell" of the website.

After that flag.txt file is not difficult to find

after searching around on terminal, at last, I found it.

Answer:

4a69a7ff9fd68

[Severity 9] Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

We need an "RCE", and the last one might work.

locate it with locate command.

This shows absolut path to file. just copy that to you documents and run it

test the script to see what you need to execute the script. It seems like I only need a URL.

there we go and we are in.

There is Answer.

1611

[Severity 10] Insufficient Logging and Monitoring

What IP address is the attacker using?

49.99.13.16

What kind of attack is being carried out?

brute force