This is a guide that intends to walk you through the OWASP Top10 room at TryHackMe.
First hand, my advice is for you to try everything they say first, and only when you get stuck and without ideas use this or any other guide as a reference.
But first a little bit of corporate knowledge 😀
(you can go straight to the questions if you want >> click here)
OWASP = Open Web Application Security Project
"OWASP is a nonprofit foundation that works to imrpove the security of software."
>> owasp.org <<
Its more than a foundation, it's a community. And everyone is invited to take part in their projects learning and developing application security, improve social and technical skills or simply by becoming a member or simply donating to the cause. All this while providing organizations the tools needed to have their applications in a trustworthy and secure level.
They've been around for almost 20 years and I'm sure all pentesters are delighted with their work. Well, there must be a reason why their projects became a standard in the field, right?!
Top10 = The 10 most common vulnerabilities within a web application
All the vulnerabilities are listed in OWASP's website in a project called OWASP Top Ten.
Disclaimer: for the walkthrough I won't be sharing any answers, just follow alongs, as well as I won't be taking into account any "no answer needed" questions.
Hop into the one you need quickly:
- 1. Injection
- 2. Broken Authentication
- 3. Sensitive Data Exposure
- 4. XML External Entities (XEE)
- 5. Broken Access Control
- 6. Security Misconfiguration
- 7. Cross-Site Scripting (XSS)
- 8. Insecure Deserialization
- 9. Components With Known Vulnerabilities
- 10. Insufficient Logging and Monitoring
Q#1) What strange text file is in the website root directory?
Firstly you have to open your browser and navigate to http://the.machine.you.deployed/evilshell.php.
Then, you have to know how to see the files in a directory and you can do it by using the command ls . By doing so you will be able to see the following result:
So, you are in evillshell and you have a evilshell.php file, you have an index.php file and two directories (js and css), what is left for grabs?
Q#2) How many non-root/non-service/non-daemon users are there?
For this one we have to know what the question really means.
Root = the highest privilege in a system
Service = a service that can run processes and execute functions
Daemon = service process runing in background waiting for a command from other processes
So they are looking for a regular user account, which normally is defined by having a bin/bash shell folder to execute commands. Example "root:x:0:0:root:/root:/bin/bash".
Using less /etc/passwd you can check all the users.
Q#3) What user is this app running as?
Just type whoami .
Q#4) What is the user's shell set as?
The shell is the last part of the user within that passwd file we checked in Q#2, so you just have to find the user we discovered in Q#3 and check its last part 🙂
Q#5) What version of Ubuntu is running?
There is a file in the /etc folder that shows exactly that!
Try using cat /etc/os-release .
Q#6) Print out the MOTD. What favorite beverage is shown?
MOTD stands for Message Of The Day which means the message your computer prints out whenever you turn it on. Normally you could just open /etc/motd but… as you won’t find it, you can look into /etc/update-motd.d/ folder.
Try to search within the 00-header file. (by the way, the beverage is mostly known in the USA but I'm sure the sentence it's in won't get pass you)
2) Broken Authentication
Q#1) What is the flag that you found in darren's account?
The guide here is pretty clear. Register a " darren" with that space in the beginning (without quotation marks) associated with a random email like firstname.lastname@example.org and a random password.
Then just login with the username " darren" and the password you set.
Q#3) What is the flag that you found in arthur's account?
Just repeat Q#1 but with " arthur".
3) Sensitive Data Exposure
Q#1) What is the name of the mentioned directory?
In the beginning of the exercise, the author specifies that "The developer has left themselves a note".
Try hoping into the Login page (top right corner) and check the source code.
You'll see the green colored comment with your answer.
Q#2) Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Go to http://the.machine.you.deployed/<Q#1 directory>.
Besides every directory, there's only one file.
Q#3) Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Download the file you found on Q#2. It's time to use "Supporting Material 1".
In a quick review, any .db file indicates that is a database which probably contains sensitive data.
Use sqlite3 <name of the file> , you'll see the prompt sqlite> indicating you are inside the database and able to start searching.
Let's start by searching the possible tables in it by typing .tables .
Ok, it should give you back two tables. Remember that, as said in the question, we are searching for the credentials of the admin user. So, in which table should we look for?
To see if the table has the info we are looking for, type PRAGMA table_info(<table>); ( don't forget the ";" )
It should give you what we want, meaning this is our table! Next, we're going to retrieve (SELECT in SQL language) everything (* in SQL language) from (FROM in SQL language) that table. Type SELECT * FROM <table>; .
You should be able to retrieve, as asked, "the password hash of the admin user".
Q#4) Crack the hash. What is the admin's plaintext password?
Go to Crackstation as mentioned in "Supporting Material 2" and just paste the hash you found on Q#3.
Q#5) Login as the admin. What is the flag?
Go back to the Login page, use the admin credentials you just found to enter and you'll see the flag right there.
4) XML External Entity (XEE)
In this "chapter" I will divide the questions with ">>>> new tab" because the questions are divided by tabs in tryhackme.
Q#1) Full form of XML
The answer is between perentheses right in the beginning of the question "What is XML?".
Q#2) Is it compulsory to have XML prolog in XML documents?
Compulsory = Obligatory
XML prolog = <?xml version="1.0" encoding="UTF-8"?>
The XML prolog is only considered a good practice, so... 🙂
Q#3) Can we validate XML documents against a schema?
Check topic number 3 from the question "Why we use XML?".
Q#4) How can we specify XML version and encoding in XML document?
Check Q#2 for the answer.
>>>> new tab
Q#1) How do you define a new ELEMENT?
The answer is right there in the question, just remember to put a "!" behind it.
Q#2) How do you define a ROOT element?
See the list right above, right there in the beginning.
Q#3) How do you define a new ENTITY?
Pretty much like Q#1.
>>>> new tab
Q#3) What is the name of the user in /etc/passwd
You must open your browser and navigate to http://the.machine.you.deployed.
Then use the payload given in the previous tab.
You can see a bunch of accounts. The user is the one ending in "/bin/bash" as we learned in the Injection topic (Q#2).
Q#4) Where is falcon's SSH key located?
Normally, all users are specified in the /home folder.
Also normally, the default SSH key of any user is within the /.ssh/id_rsa file path.
So, the location of the SSH key is something like /home/<user>/.ssh/id_rsa.
Q#5) What are the first 18 characters for falcon's private key
Remember the payload we used in Q#2?
It used the /etc/passwd path to read the passwd file. So, if we want to read the id_rsa file of our user we just have to change the path set on that payload for the path we discovered in Q#4.
5) Broken Access Control
Q#3) Look at other users notes. What is the flag?
Go to your browser, navigate to http://the.machine.you.deployed and login with the credentials they give you.
Take a look at the URL:
You have a note number! Can you guess which note number has the flag we are looking for?
Hint: Normally admins are created first, just before the 1st user 🙂
6) Security Misconfiguration
Q#2) Hack into the webapp, and find the flag!
Go to your browser, navigate to http://the.machine.you.deployed. You will see a web application (webapp) and the only thing you have is a login page.
The text refers a lot about default credentials so, can you Google "default credentials Pensive Notes"?
I guess there's no need to say more eheh
7) Cross-Site Scripting (XSS)
Q#2) Navigate to http://the.machine.you.deployed in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".
Head to the hamburger menu and pick the "Reflected XSS" page as mentioned.
There you’ll find a search bar (juicy way to say… attack me with some xss please). On that search bar you should use the first common payload specified under the title "XSS Payloads".
Hint: Just switch "Hello World" for "Hello"
Q#3) On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
On this one, the script is pretty much the same. The only difference is in what we want to retrieve as information.
You will want one of window.location properties.
A brief explanation is that "window" is an object referring the browser that has its own properties. And we can reach those properties by adding the dot in front of it. So, window.location is the object that gets you the URL of the page you're in. But, we don't want that, we just want the IP. Check this website out!
Hint: Try switching ("Hello") for (window.location.<the one that gives you only the IP>)
If you want a clearer way to explain objects and properties go to this section.
Q#4) Now navigate to http://the.machine.you.deployed in your browser and click on the "Stored XSS" tab on the navbar; make an account. Then add a comment and see if you can insert some of your own HTML.
Click on the "XSS Playground" icon on the top menu and create an account in the "Register" area.
When inside, head to the hamburger menu and pick the "Stored XSS" page.
In the comment section at the bottom of the page write a comment using any html tag.
Hint: Try adding a <b>hacker</b> in your comment
Q#5) On the same page, create an alert popup box appear on the page with your document cookies.
Ok, this one is a little bit trickier and required some research.
You will want to reach an element in this document that has the title on it and then change it. Can you find the title id inside the source page?
Got it? Awesome!
Now you must know how can the title id be changed. We already figured that you need to get the title id inside this page and you refer this page as the document object. So, document.<something to get the title id> and then you want to change it right? Getting already there... document.<something to get the title id>.<the action we want to perform>
Note: Titles are referred with the character "#"
Go check this one out to see what we are talking about! Specifically the third example after the title "More Examples"
After all of this unveiled we want to perform it and if we are talking about scripting...
Hint: Whenever we want to script something in a website just use <script> at the beginning and </script> at the end 😉
8) Insecure Deserialization
Q#1) Who developed the Tomcat application?
Try searching on Google by "Tomcat developer".
Hint: in doubt always add "The" before anything.
Q#2) What type of attack that crashes services can be performed with insecure deserialization?
It says right up in the second reason example why Insecure Deserialization is a vulnerability ranked 8 out of 10 and specified in the first part of the tab.
>>>> new tab
Q#1) Select the correct term of the following statement: if a dog was sleeping, would this be: A) A State B) A Behaviour
If a lamp bulb is a state and it being on or off is a behaviour, then a dog being a retriever is a state and he sleeping is a...
>>>> new tab
Q#1) What is the name of the base-2 formatting that data is sent across a network as?
Base2 is always 0s and 1s.
Do you know any format name that reminds you this?
>>>> new tab
Q#1) If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
They literally tell you the answer in the question eheh
Q#2) What is the acronym for the web technology that Secure cookies work over?
Insecure websites work without certifications (HTTP).
So, knowing that an "S" stands for "secure", in what type of connections are secure cookies set over?
Hint: You might want to check the Attributes and Descriptions table in the tab.
>>>> new tab
Q#1) 1st flag (cookie value)
The explanation is quite simply shown in the tab. Go to http://the.machine.you.deployed, create an account with random username and password and get the cookie value through the “inspect element” tool of firefox by going to the “storage” tab and getting the "sessionId" value.
Then, as it’s also explains, cookies are stored either in plain text or in base64. You can decode from base64 here.
Hint: The answer starts with “THM” and ends with a “}”
Q#2) 2nd flag (admin dashboard)
This exercise is specifically written in the last sentence of the tab.
Double click on the value of “userType” cookie, change to admin and change the url from machine_ip/myprofile to machine_ip/admin.
There will be a magic blue box with your answer!
>>>> new tab
For this one, you will have to go back to user mode. So, set the "userType" cookie value to user and go back to the machine_ip/myprofile.
Then you have to click on the "Exchange your vim" link, and after that you can navigate to the feedback page.
Now, to complete the task, we must have a payload that allow us to execute code remoteley. In another tab go to this Github page and copy the code inside the rce.py box.
To get it into your system, open a terminal, type nano rce.py and paste the code you just copied from Github.
Remember to change where it says "YOUR_TRYHACKME_VPN_IP" for your system's IP (mine from TryHackMe is on the top of the page near the streak count).
Execute the "rce.py" by typing python3 rce.py and copy the output that is in-between the speech marks. Have you noticed that 4444 right after your system's IP? That's the port we want to be listening on. So, set up a listener with nc -lnvp 4444 .
Go to the feedback page again and access the cookies in the "Storage" tab. Do you see a cookie named "encodedPayload"? I guess you know what to do 🙂
(if stuck, refresh the page)
Now check your terminal! All you have to do is search for the flag.
Hint: Remember the find , grep and cat commands.
9) Components With Known Vulnerabilities
Q#1) How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)
The quest here is rather simple. As the initial tab states, our main goal is to find out as much information as we can about what we have in hands. So, start by deploying the machine and navigating to http://the.machine.you.deployed.
You will notice that we are in the presence of an "online CSE bookstore". Try searching for "online book store" in this database with lots of known vulnerabilities.
Found out what you are looking for?
Hint #1: it's a verified one (with a green mark)
Hint #2: you have to run python3 <the file> http://the.machine.you.deployed
Then you just have to use what is asked right there in the question!
10) Insufficient Logging and Monitoring
Q#1) What IP address is the attacker using?
First you will have to download the file they gave you.
Then, in your log you have the several admin attempts that were unauthorised with one specific IP address.
Q#2) What kind of attack is being carried out?
When you try several usernames and passwords to try to hack into a system in what type of attack are you witnessing?
If you saw this post until the end, thank you very much for reading and congratulations!! I hope you liked it.
If you see anything I can improve, let me know!