The Dutch Hacker
owasp-top10

OWASP Top 10 on Tryhackme

This is the write up for the room OWASP Top 10 on Tryhackme

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.

Task for the OWASP Top 10 room

In this room we will learn the following OWASP top 10 vulnerabilities

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entity
  • Broken Access Control
  • Security Misconfiguration
  • Cross-site Scripting
  • Insecure Deserialization
  • Components with Known Vulnerabilities
  • Insufficent Logging & Monitoring

Task 1,Task 2, Task 3 & Task 4

Read all that is in those tasks and press complete

Task 5:

Deploy the attached VM and read all that is in the task.

5.1 What strange text file is in the website root directory?

As this is a reverse shell. Type in the command ls in the console and press submit

Evilshell
The answer: drpepper.txt

5.2 How many non-root/non-service/non-daemon users are there?

enter the command cat /etc/passwd and press submit

Evilshell

all above: x:100 are users. and we need to look if they have a home directory so /home/$Username

Answer: 0

5.3 What user is this app running as?

Type in the command whoami

Evilshell
Answer: www-data

5.4 What is the user’s shell set as?

Type in cat /etc/passwd and look for the www-data user. Read the same line and you will the the directory

Answer: /usr/sbin/nologin

5.5 What version of Ubuntu is running?

Type in the command lsb_release -a

Answer 18.04.4

5.6 Print out the MOTD.  What favorite beverage is shown?

The hint shows 00-header . With the google string linux where to find MOTD we come across this site How to use the motd file to get Linux users to pay attention | Network World

This will tell you all about the MOTD and what it is. For us we can type in the command ls /etc/update-motd.d this will show you all the files that are there for the MOTD. look for 00-header and where it is located then cat it to screen cat /etc/update-motd.d/00-header

Answer: DR PEPPER

Task 6:

Read all that is in the task then press complete

Task 7:

Read all that is in the task. and deploy the VM attached to this room

What is the flag that you found in darren’s account?

In the last paragraph of the task you will find the answer. Just press register and type in as username ” darren” fill in an email and password. Now go login with the user and password you have created. You will see the flag to copy and paste into the answer box

What is the flag that you found in arthur’s account?

Do the same thing as previous question but then with the username arthur

Task 8:

Read all that is in the task and Deploy the VM attached to this task

Task 9:

Read all that is in the task and press complete

Task 10:

Read all that is in the task and press complete

Task 11:

What is the name of the mentioned directory?

Open the page in a browser of your choice. Navigate to the login page and view the source code.

Answer: /assets

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

When navigating to the correct location we can see a file with the extension .db

OWASP Top 10 on Tryhackme
Answer: webapp.db


Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Download the webapp.db by clickin gon it. Open up a terminal and type in the following command. Make sure you are at the location where the webapp.db is located. The type in the following commands

  • sqlite3 web.db
  • .tables
  • PRAGMA table_info(users);
  • SELECT * FROM users;

Notice the ; at the end of the commands within the sqlite3 program

OWASP Top 10 on Tryhackme

After pressing enter at the last command you will find a the answer. Copy and paste that hash into the answer field

What is the admin’s plaintext password?

Navigate to crackstation.net fill in the hash you just found and press Crack Hashes. The password will be in the result filed. Copy and past that in as the answer of the question.

Login as the admin. What is the flag?

Now that we have the password go to the login page again and login with admin and the password that we have found. he flag will be on the first page after you login

XML External Entity

Task 12:

Read all that is in the task and press complete

Task 13:

Read all that is in the task. The answer of these questions can all be found in the task

Full form of XML

Answer: Full form of XML

Is it compulsory to have XML prolog in XML documents?

Answer: No

Can we validate XML documents against a schema?

Answer: Yes


How can we specify XML version and encoding in XML document?

Answer: XML Prolog

Task 14:

Read all that is in the task. The answers are in the text of the task

How do you define a new ELEMENT?

Answer: !ELEMENT

How do you define a ROOT element?

Answer: !DOCTYPE

How do you define a new ENTITY?

Answer: !ENTITY

Task 15:

Read all that is in the task and press complete

Task 16:

Navigate the the website

Try to display your own name using any payload.

OWASP Top 10 on Tryhackme

See if you can read the /etc/passwd

OWASP Top 10 on Tryhackme

What is the name of the user in /etc/passwd

Use start at 1000. If we look at the output of the previous question we see one user

Answer: flacon

Where is falcon’s SSH key located?

We know ssh keys are locate in the users home directory /home/$Username/.ssh/id_rsa

We have learned that in the Network Services Room on Tryhackme

Answer: /home/falcon/.ssh/id_rsa

What are the first 18 characters for falcon’s private key

Here is the payload needed. It is just a little bit of an adjustment from the previous payload

OWASP Top 10 on Tryhackme

Press the submit and the answer will reveal

Task 17:

Read all that is in the task and press complete

Task 18:

Read and understand how IDOR works.

Read the text in the task and press complete

Deploy the machine and go to http://MACHINEIP – Login with the username being noot and the password test1234.

Login as stated in the question and press complete

Look at other users notes. What is the flag?

We just learned to change the parameter. look at the parameter note.php?note=1 in the URL. Change the 1 to 0 and see the flag. Yes you need to lower it and not add 1 to it. Think out of the box

Task 19:

Read all that is in the task and then deploy the cm

Hack into the webapp, and find the flag!

The task focus on default password. Navigate to the website. We can see it is Pensive Notes. Put this into google Pensive Notes default credential . For me it was in the summery of the first google search results. Login with those credentials and the flag will be shown

Task 20:

Read all that is in the task then deploy the VM attach to the task

Navigate to http://MACHINE_IP in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello

Put the following code in the search box and press the buton (<script>alert(“Hello World”)</script>)

Answer: ThereIsMoreToXSSThanYouThink

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address

Type in the following in the search box <script>alert(windows.location.hostname)</script>

Answer: ReflectiveXss4TheWin

Then add a comment and see if you can insert some of your own HTML.

Type in the following <h1>This is my own /h1>

Answer: HTML_T4gs


On the same page, create an alert popup box appear on the page with your document cookies.

Type in the following <script>alert(document.cookie)</script>

Answer W3LL_D0N3_LVL2

Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

Type in the following <script>document.querySelector(‘#thm-title’).textContent = I am a hacker'</script>

Asnwer: websites_can_be_easily_defaced_with_xss

Task 21:

Read all that is in the task

Who developed the Tomcat application?

You can find this with google

Answer: Apache Software Foundation


What type of attack that crashes services can be performed with insecure deserialization?

Answer: Denial of Service

Task 22

if a dog was sleeping, would this be:

A) A State
B) A Behaviour 

Answer: A Behaviour 

Task 23

What is the name of the base-2 formatting that data is sent across a network as? 

Answer: binary

Task 24


If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

Answer: webapp.com/login

What is the acronym for the web technology that Secure cookies work over?

Answer: HTTPS

Task 25:

Follow along with the task until you reach modify cookie

1st flag (cookie value)

Copy the session ID and decode it with base64 in cyberchef

Cookie manipulating
OWASP Top 10 on Tryhackme

The answer can be found in the Output of cyberchef

2nd flag (admin dashboard)

Now modify the cookie as stated in the task

Cookie manipulating

Now navigate to http://MACHINE_IP/admin and see the flag

Task 26:

Follow the task. Once you have a reverse shell type in /bin/bash -i to get a better shell. Now search for the flag.txt by entering the following command cd.. followed bij ls then cat flag.txt

Task 27:

Read all that is in the task and press complete

Task 28:

Read all that is in the task and press complete

Task 29:

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

type in google what the hint was saying unauthenticated bookstore app rce’s

You will find an exploit Online Book Store 1.0 – Unauthenticated Remote Code Execution – PHP webapps Exploit (exploit-db.com)

Use the exploit

Exploit bookstore

Type in the command wc -c /etc/passwd and there is the answer of the question

Bonus: Try default credentials on the admin page to acces the admin page. I’m sure there is also an exploit by upload files for books 😀

Task 30:

Read all that is in the task. Download the log file and open it

What IP address is the attacker using?

We can see multiple times from the same IP address Unauthorised Fill in this Ip adress as answer

What kind of attack is being carried out?

Answer: brute force

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us