This is the write up for the room OWASP Top 10 on Tryhackme
Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.
Task for the OWASP Top 10 room
In this room we will learn the following OWASP top 10 vulnerabilities
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entity
- Broken Access Control
- Security Misconfiguration
- Cross-site Scripting
- Insecure Deserialization
- Components with Known Vulnerabilities
- Insufficent Logging & Monitoring
Task 1,Task 2, Task 3 & Task 4
Read all that is in those tasks and press complete
Task 5:
Deploy the attached VM and read all that is in the task.
5.1 What strange text file is in the website root directory?
As this is a reverse shell. Type in the command ls in the console and press submit
The answer: drpepper.txt
5.2 How many non-root/non-service/non-daemon users are there?
enter the command cat /etc/passwd and press submit
all above: x:100 are users. and we need to look if they have a home directory so /home/$Username
Answer: 0
5.3 What user is this app running as?
Type in the command whoami
Answer: www-data
5.4 What is the user’s shell set as?
Type in cat /etc/passwd and look for the www-data user. Read the same line and you will the the directory
Answer: /usr/sbin/nologin
5.5 What version of Ubuntu is running?
Type in the command lsb_release -a
Answer 18.04.4
5.6 Print out the MOTD. What favorite beverage is shown?
The hint shows 00-header . With the google string linux where to find MOTD we come across this site How to use the motd file to get Linux users to pay attention | Network World
This will tell you all about the MOTD and what it is. For us we can type in the command ls /etc/update-motd.d this will show you all the files that are there for the MOTD. look for 00-header and where it is located then cat it to screen cat /etc/update-motd.d/00-header
Answer: DR PEPPER
Task 6:
Read all that is in the task then press complete
Task 7:
Read all that is in the task. and deploy the VM attached to this room
What is the flag that you found in darren’s account?
In the last paragraph of the task you will find the answer. Just press register and type in as username ” darren” fill in an email and password. Now go login with the user and password you have created. You will see the flag to copy and paste into the answer box
What is the flag that you found in arthur’s account?
Do the same thing as previous question but then with the username arthur
Task 8:
Read all that is in the task and Deploy the VM attached to this task
Task 9:
Read all that is in the task and press complete
Task 10:
Read all that is in the task and press complete
Task 11:
What is the name of the mentioned directory?
Open the page in a browser of your choice. Navigate to the login page and view the source code.
Answer: /assets
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
When navigating to the correct location we can see a file with the extension .db
Answer: webapp.db
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Download the webapp.db by clickin gon it. Open up a terminal and type in the following command. Make sure you are at the location where the webapp.db is located. The type in the following commands
- sqlite3 web.db
- .tables
- PRAGMA table_info(users);
- SELECT * FROM users;
Notice the ; at the end of the commands within the sqlite3 program
After pressing enter at the last command you will find a the answer. Copy and paste that hash into the answer field
What is the admin’s plaintext password?
Navigate to crackstation.net fill in the hash you just found and press Crack Hashes. The password will be in the result filed. Copy and past that in as the answer of the question.
Login as the admin. What is the flag?
Now that we have the password go to the login page again and login with admin and the password that we have found. he flag will be on the first page after you login
XML External Entity
Task 12:
Read all that is in the task and press complete
Task 13:
Read all that is in the task. The answer of these questions can all be found in the task
Full form of XML
Answer: Full form of XML
Is it compulsory to have XML prolog in XML documents?
Answer: No
Can we validate XML documents against a schema?
Answer: Yes
How can we specify XML version and encoding in XML document?
Answer: XML Prolog
Task 14:
Read all that is in the task. The answers are in the text of the task
How do you define a new ELEMENT?
Answer: !ELEMENT
How do you define a ROOT element?
Answer: !DOCTYPE
How do you define a new ENTITY?
Answer: !ENTITY
Task 15:
Read all that is in the task and press complete
Task 16:
Navigate the the website
Try to display your own name using any payload.
See if you can read the /etc/passwd
What is the name of the user in /etc/passwd
Use start at 1000. If we look at the output of the previous question we see one user
Answer: flacon
Where is falcon’s SSH key located?
We know ssh keys are locate in the users home directory /home/$Username/.ssh/id_rsa
We have learned that in the Network Services Room on Tryhackme
Answer: /home/falcon/.ssh/id_rsa
What are the first 18 characters for falcon’s private key
Here is the payload needed. It is just a little bit of an adjustment from the previous payload
Press the submit and the answer will reveal
Task 17:
Read all that is in the task and press complete
Task 18:
Read and understand how IDOR works.
Read the text in the task and press complete
Deploy the machine and go to http://MACHINEIP – Login with the username being noot and the password test1234.
Login as stated in the question and press complete
Look at other users notes. What is the flag?
We just learned to change the parameter. look at the parameter note.php?note=1 in the URL. Change the 1 to 0 and see the flag. Yes you need to lower it and not add 1 to it. Think out of the box
Task 19:
Read all that is in the task and then deploy the cm
Hack into the webapp, and find the flag!
The task focus on default password. Navigate to the website. We can see it is Pensive Notes. Put this into google Pensive Notes default credential . For me it was in the summery of the first google search results. Login with those credentials and the flag will be shown
Task 20:
Read all that is in the task then deploy the VM attach to the task
Navigate to http://MACHINE_IP in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello
Put the following code in the search box and press the buton (<script>alert(“Hello World”)</script>)
Answer: ThereIsMoreToXSSThanYouThink
On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address
Type in the following in the search box <script>alert(windows.location.hostname)</script>
Answer: ReflectiveXss4TheWin
Then add a comment and see if you can insert some of your own HTML.
Type in the following <h1>This is my own /h1>
Answer: HTML_T4gs
On the same page, create an alert popup box appear on the page with your document cookies.
Type in the following <script>alert(document.cookie)</script>
Answer W3LL_D0N3_LVL2
Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.
Type in the following <script>document.querySelector(‘#thm-title’).textContent = I am a hacker'</script>
Asnwer: websites_can_be_easily_defaced_with_xss
Task 21:
Read all that is in the task
Who developed the Tomcat application?
You can find this with google
Answer: Apache Software Foundation
What type of attack that crashes services can be performed with insecure deserialization?
Answer: Denial of Service
Task 22
if a dog was sleeping, would this be:
A) A State
B) A Behaviour
Answer: A Behaviour
Task 23
What is the name of the base-2 formatting that data is sent across a network as?
Answer: binary
Task 24
If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
Answer: webapp.com/login
What is the acronym for the web technology that Secure cookies work over?
Answer: HTTPS
Task 25:
Follow along with the task until you reach modify cookie
1st flag (cookie value)
Copy the session ID and decode it with base64 in cyberchef
The answer can be found in the Output of cyberchef
2nd flag (admin dashboard)
Now modify the cookie as stated in the task
Now navigate to http://MACHINE_IP/admin and see the flag
Task 26:
Follow the task. Once you have a reverse shell type in /bin/bash -i to get a better shell. Now search for the flag.txt by entering the following command cd.. followed bij ls then cat flag.txt
Task 27:
Read all that is in the task and press complete
Task 28:
Read all that is in the task and press complete
Task 29:
How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)
type in google what the hint was saying unauthenticated bookstore app rce’s
You will find an exploit Online Book Store 1.0 – Unauthenticated Remote Code Execution – PHP webapps Exploit (exploit-db.com)
Use the exploit
Type in the command wc -c /etc/passwd and there is the answer of the question
Bonus: Try default credentials on the admin page to acces the admin page. I’m sure there is also an exploit by upload files for books 😀
Task 30:
Read all that is in the task. Download the log file and open it
What IP address is the attacker using?
We can see multiple times from the same IP address Unauthorised Fill in this Ip adress as answer
What kind of attack is being carried out?
Answer: brute force