Sep 6, 2022

8 min read

OWASP Top 10 | TryHackMe

What is OWASP foundation?

The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.

OWASP Top 10

Injection
Broken Authentication
Sensitive Data Exposure
XML External Entity
Broken Access Control
Security Misconfiguration
Cross-site Scripting
Insecure Deserialization
Components with Known Vulnerabilities
Insufficent Logging & Monitoring

Task 5: [Severity 1] Command Injection Practical

Let’s practice on command injection

Start machine
Start attachbox or VPN

Navigate to http://ip/evilshell.php in your browser

Oops , it executes commands on the system

Let’s answer to the questions

What strange text file is in the website root directory?

Enter command : ls

ls command is used for listing directories

guess the strange text file ?

answer : drpepper.txt

How many non-root/non-service/non-daemon users are there?

answer : 0

What user is this app running as?

Enter command whoami and press submit

whoami command displays the username of the current user

answer : www-data

What is the user’s shell set as?

Enter command cat ../../../etc/passwd then search (grep) for the user and press submit

the user’s shell is defined in the /etc/passwd file

answer : /usr/sbin/nologin

What version of Ubuntu is running?

type lsb_release -a to check ubuntu version

answer : 18.04.4

Print out the MOTD. What favorite beverage is shown?

the /etc/mod is a file on unix systems that contain a “message of the day”

from the hint , we know that the target file is 00-header

type cat /etc/update-motd.d/00-header

answer : DR PEPPER

Task 7: [Severity 2] Broken Authentication Practical

Navigate to http://ip/ in your browser and try to register with user “darren”

this will show you an error because the user already exists

so try to register with the same user but enter an {space} before username and enter register , then the user created

try to login with with username = { darren} and password = {your password}

the flag will be ..

What is the flag that you found in darren’s account?

fe86079416a21a3c99937fea8874b667

then try the same technique with username = “arthur” and login to see the flag

What is the flag that you found in arthur’s account?

d9ac0f7db4fda460ac3edeb75d75e16e

Task 11: [Severity 3] Sensitive Data Exposure (Challenge)

When you Navigate to http://ip/ in your browser , you will find a web page contain texts and login page

i tried to view page source and i found that it include /asset directory

So , after i had been opened http://ip/assets , i found many folders and a database file called webapp.db

Download this file , then i found out that it’s a SQLlite database and it contains users credentials

The passwords in database in md5 hash , then try to crack the password of admin using website https://crackstation.net

then try to login using username = admin & password = qwertyuiop

What is the name of the mentioned directory?

Answer : /assets

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Answer : webapp.db

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Answer : 6eea9b7ef19179a06954edd0f6c05ceb

What is the admin’s plaintext password?

Answer : qwertyuiop

Login as the admin. What is the flag?

Answer : THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

Task 13: [Severity 4] XML External Entity — eXtensible Markup Language

Full form of XML

Answer : eXtensible Markup Language

Is it compulsory to have XML prolog in XML documents?

Answer : no

Is it compulsory to have XML prolog in XML documents?

Answer : yes

How can we specify XML version and encoding in XML document?

Answer : XML prolog

Task 14: [Severity 4] XML External Entity — DTD

How do you define a new ELEMENT?

Answer : !ELEMENT

How do you define a ROOT element?

Answer : !DOCTYPE

How do you define a new ENTITY?

Answer : !Entity

Task 16: [Severity 4] XML External Entity — exploiting

What is the name of the user in /etc/passwd

payload :

Answer : falcon

Where is falcon’s SSH key located?

Answer :

What are the first 18 characters for falcon’s private key

Answer :

Task 18: [Severity 5] Broken Access Control (IDOR Challenge)

Navigate to http://ip/ in your browser and login with username = noot , password = test1234

after you had logged in , url became http://10.10.111.57/note.php?note=1

try to change the id to access another user’s note

http://10.10.111.57/note.php?note=2 -> blank page

http://10.10.111.57/note.php?note=3 -> blank page

then , try to access undefined id like 0

http://10.10.111.57/note.php?note=0

Look at other users notes. What is the flag?

flag{fivefourthree}

Task 19: [Severity 6] Security Misconfiguration

Navigate to http://ip/ in your browser , it’s a login panel called pensive notes

search on google about : pensive notes default credentials , then i got it

username : pensive & password: PensiveNotes

Answer : thm{4b9513968fd564a87b28aa1f9d672e17}

Task 20: [Severity 7] Cross-Site-Scripting

Navigate to http://ip/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".

type in search function this payload : <script>alert(“Hello”)</script>

Answer : ThereIsMoreToXSSThanYouThink

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

type in search : <script>alert(window.location.hostname)</script>

answer : ReflectiveXss4TheWin

Now navigate to http://ip/ in your browser and click on the “Stored XSS” tab on the navbar; make an account.

Then add a comment and see if you can insert some of your own HTML.

type in comment : <img src=x onerror=alert(1)>

Answer : HTML_T4gs

On the same page, create an alert popup box appear on the page with your document cookies.

type in comments : <script>alert(document.cookie)</script>

Answer : W3LL_D0N3_LVL2

Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

inspect element to the title and i know it’s id is “thm-title”

write in console : document.getElementById(“thm-title”).innerHTML=”I am a hacker”;

it worked

then type the payload into comments :<script>document.getElementById(“thm-title”).innerHTML=”I am a hacker”;</script>

Answer : websites_can_be_easily_defaced_with_xss

Task 21: [Severity 8] Insecure Deserialization

Who developed the Tomcat application?

Answer : The Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialization?

Answer : denial of services

Task 22: [Severity 8] Insecure Deserialization Objects

if a dog was sleeping, would this be:

A) A State
B) A Behaviour

Answer : A Behaviour

Task 23: [Severity 8] Insecure Deserialization — Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

Answer : binary

Task 24: [Severity 8] Insecure Deserialization — cookies

If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

Answer : webapp.com/login

What is the acronym for the web technology that Secure cookies work over?

Answer : https

Task 25: [Severity 8] Insecure Deserialization — cookies practical

go to http://machine_ip , then register an account you will see the details of your account on the right of dashboard , then click inspect element , click storage , click cookies and you will see that the session id encoded with base64