
Tryhackme -OWASP Top 10 25/09/2021
Updated: Oct 16, 2021
Command Injection What strange text file is in the website root directory?
A strange text file in the website root directory: I used < ls > to see the directory list

drpepper.txt
is a strange text file.
How many non-root/non-service/non-daemon users are there?
We can use the command:
cat /etc/passwd | cut -d: -f1 i
It will show just first word of each line,
I more detail about command check this link.: LinuxHandBook
0
What user is this app running as?
The user of the app:
whoami or id command will help to find info
The answer for this is
www-data
What is the user's shell set as?
I used id to find the user id. Which is 33. id prints the current user-id and group-id.
And then I used cat /etc/passwd/ to print all the list of user information.
or you can just use
cat /etc/passwd
It will show everything inside passwd file, and we already know what the username is.
/usr/sbin/nologin.
What version of Ubuntu is running?
This command prints Os version.
cat /etc/os-release
can print comprehensive information on the Operating System.
or you can just use
lsb_release -a
Here we see the version as
18.04.4.
Print out the MOTD. What favorite beverage is shown?


Dr Pepper
Broken Authentication
What is the flag that you found in darren's account?
fe86079416a21a3c99937fea8874b667
What is the flag that you found in arthur's account?
d9ac0f7db4fda460ac3edeb75d75e16e
Sensitive Data Exposure

What is the name of the mentioned directory?

Click on Login link. then inspect webpage, it will show info about webpage. There we could see what is mentioned.
/assets
DB File:

As I knew there is a directory inside the website "/assets". I just added that to URL. in there I could see webapp.db, a database file.
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
webapp.db
Sensitive Data:
Just click on "webapp.db" and save it. Just for future use.

we can open this with sqlite3 and check what it has.

I never had worked with SQL before, so word of advice, remember "; " at the end of each command. Otherwise, SQL thinks you still have something to add in command.
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
6eea9b7ef19179a06954edd0f6c05ceb
Admin Password:
I used the website Crackstation mentioned in the given material to crack the password hash.

Its clear that its whole first line of qwerty keyboard.
Crack the hash.
What is the admin's plaintext password?
qwertyuiop
Admin Flag:
Login as the admin. What is the flag?
THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
XML External Entity
[Severity 4 XML External Entity - eXtensible Markup Language
Full form of XML
Extensible Markup Language
Is it compulsory to have XML prolog in XML documents?
no
Can we validate XML documents against a schema?
yes
How can we specify XML version and encoding in XML document?
XML prolog
[Severity 4] XML External Entity - DTD
How do you define a new ELEMENT?
!ELEMENT
How do you define a ROOT element?
!DOCTYPE
How do you define a new ENTITY?
!ENTITY
[Severity 4] XML External Entity - Exploiting
What is the name of the user in /etc/passwd
falcon
Where is falcon's SSH key located?
/home/falcon/.ssh/id_rsa
What are the first 18 characters for falcon's private key
MIIEogIBAAKCAQEA7
Broken Access Control
[Severity 5] Broken Access Control (IDOR Challenge)
Look at other users notes. What is the flag?
flag{fivefourthree}
[Severity 6] Security Misconfiguration
Hack into the webapp, and find the flag!
thm{4b9513968fd564a87b28aa1f9d672e17}
Cross-site Scripting
[Severity 7] Cross-site Scripting
Navigate to http://Machine/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".
<script>alert("Hello World")</script>
ThereIsMoreToXSSThanYouiThink
On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
I copied XSS script from this link and edited it after my need "https://github.com/payloadbox/xss-payload-list"

ReflectiveXss4TheWin
'`"><\x00script>javascript:alert("window.location.hostname")</script>

Now navigate to http://10.10.*.*/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.
Then add a comment and see if you can insert some of your own HTML.
HTML_T4gs

On the same page, create an alert popup box appear on the page with your document cookies.
W3LL_D0N3_LVL2
"><s"%2b"cript>alert(document.cookie)</script>

this script will print out document.cookie and at the end prints out answer in comment field.
you can also use
test" onmouseover="alert(document.cookie)"
to get your answer,
Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.
<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
websites_can_be_easily_defaced_with_xss
Insecure Deserialization
[Severity 8] Insecure Deserialization
Who developed the Tomcat application?
The Apache Software Foundation
What type of attack that crashes services can be performed with insecure deserialization?
Denial of Service
[Severity 8] Insecure Deserialization - Deserialization
Select the correct term of the following statement:
if a dog was sleeping, would this be:
A) A State <-- data, in this case, dogs food can be a state, B) A Behaviour <-- action, dog eating food is a behavior.
A Behavior
[Severity 8] Insecure Deserialization - Deserialization
What is the name of the base-2 formatting that data is sent across a network as?
binary
[Severity 8] Insecure Deserialization - Cookies
If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
webapp.com/login
What is the acronym for the web technology that Secure cookies work over?
HTTPS
[Severity 8] Insecure Deserialization - Cookies Practical
1st flag (cookie value)

frist flag is inside cookies, only thing needed is to decode that base64 code.

2nd flag (admin dashboard)

and change http://ip into http://ip/admin this will show your flag on admin page.
THM{heres_the_admin_flag}
[Severity 8] Insecure Deserialization - Code Execution

downloaded the script from the link and changed according to my VPN need.

copied 64base value and added to cookies value inside Inspected elemet/ encodedpayload

I had already open listening with netcat on port 4444,
after I reloaded the page on the website I got connected to the Terminal "Shell" of the website.
After that flag.txt file is not difficult to find

after searching around on terminal, at last, I found it.
Answer:
4a69a7ff9fd68
[Severity 9] Components With Known Vulnerabilities - Lab
How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

We need an "RCE", and the last one might work.
locate it with locate command.

This shows absolut path to file. just copy that to you documents and run it

test the script to see what you need to execute the script. It seems like I only need a URL.

there we go and we are in.

There is Answer.
1611
[Severity 10] Insufficient Logging and Monitoring
What IP address is the attacker using?
49.99.13.16
What kind of attack is being carried out?
brute force