Write up by Taylor Chrisitan Newsome
Twitter.com/ClumsyLulz
Github.com/SleepTheGod
Youtube.com/Stripped
https://tryhackme.com/room/owasptop10
OWASP Top 10 Writeup
This room focuses on the following OWASP Top 10 vulnerabilities
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entity
Broken Access Control
Security Misconfiguration
Cross-site Scripting
Insecure Deserialisation
Components with Known Vulnerabilities
Insufficient Logging & Monitoring
Task 5 [Command Injection]
5.1. What strange text file is in the website root directory?
Explanation
As this is a reverse shell. Type in the command ls in the console and press submit
Answer: drpepper.txt
5.2 How many non-root/non-service/non-daemon users are there?
Explanation
The /etc/passwd will contain local users in a Linux system: it could be considered here as the password database. So Type the command cat /etc/passwd and press submit.
We can see that :x:100 range or above of users is returned. Now we analyse the file and check if they all have home directories. So, home/$Username
After analysing, we obtain users information that is not root/service/daemon
Answer: 0
5.3 What user is this app running as?
Explanation
whoami command displays the username of the current user.
Answer: www-data
5.4 What is the user’s shell set as?
Explanation
The user’s shell is defined in the /etc/passwd file.
getent is a common way to look up in user details on Linux. Since getent uses the same name of service as the system, getent will be going to show all information, including that gained from the network information sources such as LDAP. The databases it usually searches in are: ahosts, ahostsv4, ahostsv6, aliases, ethers (Ethernet addresses), group, gshadow, hosts, netgroup, networks, passwd, protocols, rpc, services, and shadow.
type getent passwd www-data and press submit to obtain the user’s shell. The 7th field of an entry in etc/passwd file is the home directory of the user (user’s shell).
Answer: /usr/sbin/nologin
5.5 What version of Ubuntu is running?
Explanation
Type lsb_release -a to check the ubuntu version.
Answer: 18.04.4
5.6 Print out the MOTD. What favourite beverage is shown?
Explanation
The /etc/motd is a file on Unix-like systems that contains a “message of the day.
To know more about motd files, click here.
from the hint, we know that the target file is 00-header .
type cat /etc/update-motd.d/00-header
Answer: DR DREPPER
Task 7 [Broken Authentication]
7.1 What is the flag that you found in Darren’s account?
Explanation
Register a new account with username: “ Darren”. Make sure there is whitespace before the name!. You may now login with newly created info and obtain the flag. Ps: You might need to inspect the page to copy the flag.
Answer: fe86079416a21a3c99937fea8874b667
7.3 What is the flag that you found in Arthur’s account?
Explanation
Register a new account with username: “ Arthur”. Make sure there is whitespace. You may now login with newly created info and obtain the flag. Ps: You might need to inspect the page to copy the flag.
Answer: d9ac0f7db4fda460ac3edeb75d75e16e
Task 11 [Sensitive Data Exposure]
Have a look around the web app. The developer has left themselves a note indicating that there is sensitive data in a specific directory.
11.1 What is the name of the mentioned directory?
Explanation: Inspect the source code of the login page, and then obtain the developer note.
Answer: /assets
11.2 Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Explanation: Database files would likely be holding sensitive data in any system.
Answer: webapp.db
11.3 Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Explanation: The first step is to download the database and check what type of database it is. We can do that by using the command file webapp.db .we obtain that it is an SQlite database
To access it, we run sqlite3 webapp.db
From here we can see the tables in the database by using .tables command. we obtain 2 tables.
Look at the table information by using PRAGMA table_info(users); to see the table information.
Then use SELECT * FROM users; to dump the information from the table:
We can see from the table information that there are four columns: userID, username, password and admin. You may notice that this matches up with the results. Take the first row which is the admin:
4413096d9c933359b898b6202288a650|admin|6eea9b7ef19179a06954edd0f6c05ceb|1
We have the userID (0), the userName (admin), the password hash (6eea9b7ef19179a06954edd0f6c05ceb) and admin(1).
Answer: 6eea9b7ef19179a06954edd0f6c05ceb
11.4 Crack the hash. What is the admin’s plaintext password?
Explanation: Using crackstation, the hash is cracked and password is obtained
Answer: qwertyuiop
11.5 Login as the admin. What is the flag?
using the obtained credentials, login as the admin
username: admin
password: qwertyuiop
Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
Task 13[eXtensible Markup Language]
13.1 Full form of XML
Answer: eXtensible markup languageage
13.2 Is it compulsory to have XML prolog in XML documents?
Explanation: It is not compulsory for an XML document to have an XML Prolog. However, it is nice and good practice if it does.
Answer: No
13.3 Can we validate XML documents against a schema?
Explanation: XML allows validation using DTD and Schema. This validation ensures that the XML document is free from any syntax error.
Answer: Yes
13.4 How can we specify XML version and encoding in an XML document?
Explanation: The XML prolog is located at the beginning of an XML file and it specifies XML version and encoding in an XML document.
syntax :<?xml version=”1.0" encoding=”UTF-8"?>→ Example of an XML prolog
Answer: XML Prolog
Task 14[ XML External Entity — DTD]
14.1 How do you define a new ELEMENT?
Answer: !ELEMENT
14.2 How do you define a ROOT element?
Answer !DOCTYPE
14.3 How do you define a new ENTITY?
Answer: !ENTITY
Task 16 [ XML External Entity — Exploiting]
16.1 Try to display your own name using any payload.
16.2 See if you can read the /etc/passwd
16.3 What is the name of the user in /etc/passwd
Answer: falcon
16.4 Where is falcon’s SSH key located?
since we know the home directory of falcon obtained from the etc/passwd file. we can append the standard location of ssh key’s in a Linux machine to it. Then confirm the location with the payload.
Answer: /home/falcon/.ssh/id_rsa
16.5 What are the first 18 characters for falcon’s private key
Copy the obtained private key into a character counting online tool to count characters. For Example https://www.charactercountonline.com/
NB: Falcon’s private key begins after “ — — -BEGIN RSA PRIVATE KEY — — -”
Answer: MIIEogIBAAKCAQEA7b
Task 18 [ Broken Access Control (IDOR Challenge)]
18.1 Look at other users notes. What is the flag?
To obtain the flag, login with the username and password provided. Then Navigate to the Url and change the URL note parameter to 0
Answer: flag{fivefourthree}
Task 19 [ Security misconfiguration]
19.1 Hack into the web app, and find the flag!
On googling, I found pensive notes on Github which contains default credentials pensive:PensiveNotes
Use the credentials to login and obtain the Flag
Answer: thm{4b9513968fd564a87b28aa1f9d672e17}
Task 20 [Cross-site Scripting]
20.1 Navigate to http://MACHINE_IP/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.
Explanation: Use this javascript code to cause a popup saying “Hello” <script>alert(“Hello”)</script> .
Answer: ThereIsMoreToXSSThanYouThink
20.2 On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
Explanation: In javascript, window.location.hostname returns the domain name of the web host. Therefore we can use this js payload to display our IP considering the information provided in the hints. <script>alert(window.location.hostname)</script>
Answer: ReflectiveXss4TheWin
20.3 Now navigate to http://MACHINE_IP/ in your browser and click on the “Stored XSS” tab on the navbar; make an account. Then add a comment and see if you can insert some of your own HTML.
Answer: HTML_T4gs
20.4 On the same page, create an alert popup box that appear on the page with your document cookies.
Explanation: Use this payload to obtain cookies <script>alert(document.cookies)</script>
Answer: W3LL_D0N3_LVL2s
20.5 Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.
Explanation: Using the hint provided, use this js code <script>document.querySelector(‘#thm-title’).textContent = ‘I am a hacker’</script>
Answer: websites_can_be_easily_defaced_with_xss
Task 21 [Insecure Deserialization]
21.1 Who developed the Tomcat application?
Answer: Apache Software Foundation
21.2 What type of attack that crashes services can be performed with insecure deserialization?
Answer: Denial of Service
Task 22 [Insecure Deserialization — Objects]
22.1 Select the correct term of the following statement
if a dog was sleeping, would this be:
A) A State
B) A Behaviour
Answer: behaviour
Task 23 [Insecure Deserialization — Deserialization]
23.1 What is the name of the base-2 formatting that data is sent across a network as?
Answer: binary
Task 24 [Insecure Deserialization — Cookies]
24.1 If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be?
Answer: webapp.com/login
24.2 What is the acronym for the web technology that Secure cookies work over?
Answer: https
Task 25 [Insecure Deserialisation — Cookies Practical]
25.1 1st flag (cookie value)
open the developer console and investigate the session Id. Notice, it is base64 encoded. So this needs to be decoded. Use a tool such as
https://www.base64decode.org to decode the encoded sessionID.
From the result obtained, we can see the flag.
Answer: THM{good_old_base64_huh}
25.2 2nd flag (admin dashboard)
Answer: THM{heres_the_admin_flag}
Task 26 [Insecure Deserialization — Code Execution]
26.1 Ans: 4a69a7ff9fd68
Task 29 [Components With Known Vulnerabilities-Lab]
The first thing to do to exploit a web application is to perform some sort of reconnaissance about it, eg. what kind of platform is used to build this web application and the technologies it uses. I found out that it’s using PHP and MYSQL. Also, seems to be developed with projectworlds.
secondly based on the hint: “You know it’s a bookstore application, you should check for recent unauthenticated bookstore app rce’s.” I made a search query
We find the payload we are looking for: https://www.exploit-db.com/exploits/47887
Download the payload with the command wget https://www.exploit-db.com/download/47887 and run it against your target.
Then run wc -C /etc/passwd to obtain the number of characters in the file.
Answer: 1611
Task 30 [Severity 10] Insufficient Logging and Monitoring]
30.1 What IP address is the attacker using?
observing the logs, the attacker’s IP address should be marked with authorised permission and come from an anonymous party. we can conclude that the attacker’s IP is 49.99.13.16
30.2 What kind of attack is being carried out?
Seems like a brute force attack to try out a combination of usernames and passwords with a tool such as hydra, brutespray, Medusa, etc.
Conclusion
Very time consuming and educational room I actually enjoyed this room it was very difficult as I am a web app guy Rate 10–10.
