OWASP Top 10 - TryHackMe Write-up
Info
- Name: OWASP Top 10
- Description: Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks.
- Difficulty: Easy
- Room link: https://tryhackme.com/room/owasptop10
Write-up
Overview
This room breaks each OWASP topic down and includes details on what the vulnerability is, how it occurs and how you can exploit it. You will put the theory into practise by completing supporting challenges.
Injection
Q: What strange text file is in the website root directory?
A: drpepper.txt
ls
Q: How many non-root/non-service/non-daemon users are there?
A: 0
cat /etc/passwd | cut -d: -f1 Used explainshell.com after searching a way to do what is needed, to get a more clear explanation on what every thing means.
Q: What user is this app running as?
A: www-data
can be found with whoami or id
Q: What is the user's shell set as?
A: /usr/sbin/nologin
cat /etc/passwd | grep "www-data" Used grep to search for "www-data"
Q: What version of Ubuntu is running?
A: 18.04.4
hostnamectl or cat /etc/os-release
Q: Print out the MOTD. What favorite beverage is shown?
A: DR PEPPER
cat /etc/update-motd.d/00-header Took some time to find a way to be able to find the answer but arrived there.
Broken Authentication
Q: What is the flag that you found in darren's account?
A: This is pretty straight forward you only need to create the account as " darren" and it will show you the flame as soon as you login.
Q: What is the flag that you found in arthur's account?
A: Just like the question before only thing different is the username now is " arthur".
Sensitive Data Exposure
Q: What is the name of the mentioned directory?
A: /assets
Q: Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
A: webapp.db
Q: Use the supporting material to access the sensitive data. What is the password hash of the admin user?
A: 6eea9b7ef19179a06954edd0f6c05ceb
Q: Crack the hash. What is the admin's plaintext password?
A: qwertyuiop
Q: Login as the admin. What is the flag?
A: As soon as you login you are greeted with the flag.
XML External Entity
Q: Full form of XML
A: eXtensible Markup Language
Q: Is it compulsory to have XML prolog in XML documents?
A: No
Q: Can we validate XML documents against a schema?
A: Yes
Q: How can we specify XML version and encoding in XML document?
A: XML prolog
Q: How do you define a new ELEMENT?
A: !ELEMENT
Q: How do you define a ROOT element?
A: !DOCTYPE
Q: How do you define a new ENTITY?
A: !ENTITY
Q: What is the name of the user in /etc/passwd
A: falcon I read the page source after using the exploit (same as the example given before) as it is easier to read
Q: Where is falcon's SSH key located?
A: /home/falcon/.ssh/id_rsa
From previous rooms i've learn that the ssh key is stored as id_rsa on the .ssh folder.
Q: What are the first 18 characters for falcon's private key
A: MIIEogIBAAKCAQEA7b
You can just copy the first line and a do a quick echo "<text>" | cut -c1-18 to get the first 18 characters
Broken Access Control
Q: Look at other users notes. What is the flag?
A: Changing the parameter to 0 you access another user notes.
Security Misconfiguration
Q: Hack into the webapp, and find the flag!
A: After searching for Pensive Notes found the github of the webapp where it shows the default credentials pensive:PensiveNotes
https://github.com/NinjaJc01/PensiveNotes
XSS - Cross-site Scripting
Q: Navigate to http://10.10.x.x/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".
A: ThereIsMoreToXSSThanYouThink
Using <script>alert(“Hello World”)</script>
Q: On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
A: ReflectiveXss4TheWin
<script>alert(window.location.hostname)</script>
Q: Then add a comment and see if you can insert some of your own HTML.
A: HTML_T4gs
Q: On the same page, create an alert popup box appear on the page with your document cookies.
A: W3LL_D0N3_LVL2s
<script>alert(document.cookies)</script>
Q: Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.
A: websites_can_be_easily_defaced_with_xss
<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
Insecure Deserialization
Q: Who developed the Tomcat application? A: The Apache Software Foundation
Q: What type of attack that crashes services can be performed with insecure deserialization?
A: Denial of Service
Q: Select the correct term of the following statement: if a dog was sleeping, would this be:
A: A Behaviour
Q: What is the name of the base-2 formatting that data is sent across a network as?
A: Binary
Q: If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
A: webapp.com/login
Q: What is the acronym for the web technology that Secure cookies work over?
A: HTTPS
Q: 1st flag (cookie value)
A: Shown in the prints below
Q: 2nd flag (admin dashboard)
A: Shown in the prints below
Q: flag.txt
A: Using cat /home/cmnatic/flag.txt found the flag.
Components with Known Vulnerabilities
Q: How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)?
A: 1611
Insufficient Logging & Monitoring
Q: What IP address is the attacker using?
A: 49.99.13.16
Q: What kind of attack is being carried out?
A: Brute force
