top of page

Tryhackme -OWASP Top 10 25/09/2021

Updated: Oct 16, 2021

Command Injection What strange text file is in the website root directory?

A strange text file in the website root directory: I used < ls > to see the directory list


is a strange text file.

How many non-root/non-service/non-daemon users are there?

We can use the command:

cat /etc/passwd | cut -d: -f1 i

It will show just first word of each line,

I more detail about command check this link.: LinuxHandBook


What user is this app running as?

The user of the app:

whoami or id command will help to find info

The answer for this is


What is the user's shell set as?

I used id to find the user id. Which is 33. id prints the current user-id and group-id.

And then I used cat /etc/passwd/ to print all the list of user information.

or you can just use

cat /etc/passwd

It will show everything inside passwd file, and we already know what the username is.


What version of Ubuntu is running?

This command prints Os version.

cat /etc/os-release

can print comprehensive information on the Operating System.

or you can just use

lsb_release -a

Here we see the version as


Print out the MOTD. What favorite beverage is shown?

Dr Pepper 

Broken Authentication

What is the flag that you found in darren's account?


What is the flag that you found in arthur's account?


Sensitive Data Exposure

What is the name of the mentioned directory?

Click on Login link. then inspect webpage, it will show info about webpage. There we could see what is mentioned.


DB File:

As I knew there is a directory inside the website "/assets". I just added that to URL. in there I could see webapp.db, a database file.

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?


Sensitive Data:

Just click on "webapp.db" and save it. Just for future use.

we can open this with sqlite3 and check what it has.

I never had worked with SQL before, so word of advice, remember "; " at the end of each command. Otherwise, SQL thinks you still have something to add in command.

Use the supporting material to access the sensitive data. What is the password hash of the admin user?


Admin Password:

I used the website Crackstation mentioned in the given material to crack the password hash.

Its clear that its whole first line of qwerty keyboard.

Crack the hash.

What is the admin's plaintext password?


Admin Flag:

Login as the admin. What is the flag?


XML External Entity

[Severity 4 XML External Entity - eXtensible Markup Language

Full form of XML

Extensible Markup Language

Is it compulsory to have XML prolog in XML documents?


Can we validate XML documents against a schema?


How can we specify XML version and encoding in XML document?

XML prolog

[Severity 4] XML External Entity - DTD

How do you define a new ELEMENT?


How do you define a ROOT element?


How do you define a new ENTITY?


[Severity 4] XML External Entity - Exploiting

What is the name of the user in /etc/passwd


Where is falcon's SSH key located?


What are the first 18 characters for falcon's private key


Broken Access Control

[Severity 5] Broken Access Control (IDOR Challenge)

Look at other users notes. What is the flag?


[Severity 6] Security Misconfiguration

Hack into the webapp, and find the flag!


Cross-site Scripting

[Severity 7] Cross-site Scripting

Navigate to http://Machine/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".

<script>alert("Hello World")</script>


On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

I copied XSS script from this link and edited it after my need ""



Now navigate to http://10.10.*.*/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.

Then add a comment and see if you can insert some of your own HTML.


On the same page, create an alert popup box appear on the page with your document cookies.



this script will print out document.cookie and at the end prints out answer in comment field.

you can also use

test" onmouseover="alert(document.cookie)"

to get your answer,

Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.

<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>


Insecure Deserialization

[Severity 8] Insecure Deserialization

Who developed the Tomcat application?

The Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialization?

Denial of Service

[Severity 8] Insecure Deserialization - Deserialization

Select the correct term of the following statement:

if a dog was sleeping, would this be:

A) A State <-- data, in this case, dogs food can be a state, B) A Behaviour <-- action, dog eating food is a behavior.

A Behavior

[Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?


[Severity 8] Insecure Deserialization - Cookies

If a cookie had the path of , what would the URL that the user has to visit be?

What is the acronym for the web technology that Secure cookies work over?


[Severity 8] Insecure Deserialization - Cookies Practical

1st flag (cookie value)

frist flag is inside cookies, only thing needed is to decode that base64 code.

2nd flag (admin dashboard)

and change http://ip into http://ip/admin this will show your flag on admin page.


[Severity 8] Insecure Deserialization - Code Execution

downloaded the script from the link and changed according to my VPN need.

copied 64base value and added to cookies value inside Inspected elemet/ encodedpayload

I had already open listening with netcat on port 4444,

after I reloaded the page on the website I got connected to the Terminal "Shell" of the website.

After that flag.txt file is not difficult to find

after searching around on terminal, at last, I found it.



[Severity 9] Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

We need an "RCE", and the last one might work.

locate it with locate command.

This shows absolut path to file. just copy that to you documents and run it

test the script to see what you need to execute the script. It seems like I only need a URL.

there we go and we are in.

There is Answer.


[Severity 10] Insufficient Logging and Monitoring

What IP address is the attacker using?

What kind of attack is being carried out?

brute force

758 views0 comments
bottom of page