TryHackMe OWASP Top 10–2021 Walkthrough
This is a write-up for the room OWASPTop 10 on Tryhackme written 2023. This is meant for those that do not have their own virtual machines and want to use what is provided by TryHackMe.
This room focuses on the following OWASP Top 10 vulnerabilities
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entity
- Broken Access Control
- Security Misconfiguration
- Cross-site Scripting
- Insecure Deserialisation
- Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Task 1 [ Introduction ]
Read the above.
No Answer Needed
Task 2 [ Accessing Machines ]
Connect to our network or deploy the AttackBox.
No Answer Needed
Task 3 [ 1. Broken Access Control ]
Read and understand what broken access control is.
No Answer Needed
Task 4 [ Broken Access Control (IDOR Challenge) ]
Read and understand how IDOR works.
No Answer Needed
Deploy the machine and go to http://MACHINE_IP — Login with the username noot and the password test1234.
No Answer Needed
Look at other users’ notes. What is the flag?
Hint: The URL contains ?note_id=1 — I wonder what happens if you change the parameter value? You might be able to access another user’s notes.
Answer Format: ****{*************}
Answer: flag{fivefourthree}
Task 5 [ 2. Cryptographic Failures ]
Read the introduction to Cryptographic Failures and deploy the machine.
No Answer Needed
Task 6 [ Cryptographic Failures (Supporting Material 1) ]
Read and understand the supporting material on SQLite Databases.
No Answer Needed
Task 7 [ Cryptographic Failures (Supporting Material 2) ]
Read the supporting material about cracking hashes.
No Answer Needed
Task 8 [ Cryptographic Failures (Challenge) ]
Firstly, start up the machine once it is booted up open Firefox and head to http://machine-ip:81/. Once there go to the log-in page and view the source code. You can view the source code by using the hotkey combo CTRL + U. This will open a separate page.
Have a look around the web app. The developer has left themselves a note indicating that there is sensitive data in a specific directory.
What is the name of the mentioned directory?
Hint: Have a look at the source code on the /login page.
Answer Format: /******
Answer: /assets
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
delete login and type /assets/
Answer Format: ******.**
Answer: webapp.db
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Download the database (.db) and pull up your command line. Now list everything in the folder using the ls -l.
Next, we need to access the database with SQLite3 using sqlite3 webapp.db followed by .tables which brings up “users” and finally PRAGMA table_info (users)
Answer Format: ******************************
Answer: 6eea9b7ef19179a06954edd0f6c05ceb
Crack the hash.
What is the admin’s plaintext password?
Hint: Read the supporting material.
The supporting material suggests we go to CrackStation. Once at the CrackStation site copy and paste the password hash, confirm that you are not a robot, and select the “Crack Hashes” button.
Answer Format: **********
Answer: qwertyuiop
Log in as the admin. What is the flag?
Answer Format: ***{********************************}
Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
Task 9 [ 3. Injection ]
I’ve understood Injection attacks.
No Answer Needed
Task 10 [ 3.1. Command Injection ]
In this module, we are going to infiltrate the cowsay using Linux commands. TryHackMe was kind enough to give us a few basic commands:
- whoami
- id
- ifconfig/ip addr
- uname -a
- ps -ef
But we will also be using a few others such as:
- $(ls)
- $(ls -la)
- $(cat /etc/passwd)
- $(cat /etc/os-release)
Now, let's get started. Head to the link given http://machine-ip:82/
This was my approach, you can do things you can do things your way. I started with the command: $(whoami)
This is actually the answer to the third question: apache
Next, I used the command $(ls) to find any files in the root directory
The results are [css drpepper.txt index.php js]. This leads us to the answer to the first question.
After that, it is time to find out the answer to the next question:
How many non-root/non-service/non-daemon users are there?
How do we determine that? We use the command $(cat /etc/passwd) to list the users. Command broken down is [cat] or concatenate the file called [/etc/passwd]
There are no non-root/non-service/non-daemon users (standard users).
You can also use the command [awk] with a few parameters:
$(awk -F: ‘$3 >= 1000’ /etc/passwd)
Without going in-depth into the command, there are no standard users listed; making the answer “0”. The hint here is sbin, which is short for system binary. sbin is meant for system admins and should not be accessible by standard users. So, seeing /sbin/nologin is an indicator.
Going back to the question about the user name [apache] we can scroll to the bottom and find the user’s [apache] shell [/sbin/nologin].
It is time to finish this task, by using a command to find the operating system version. The command I used was [$(cat /etc/os-release)] the result was straightforward: 3.16.0. You can also use [$(cat /etc/os-release)]
What strange text file is in the website’s root directory?
Answer Format: ********.***
Answer: drpepper.txt
How many non-root/non-service/non-daemon users are there?
Answer Format: *
Answer: 0
What is the user’s shell set as?
Answer Format: /****/*******
Answer: apache
What is the user’s shell set as?
Answer Format: /****/*******
Answer: /sbin/nologin
What version of Alpine Linux is running?
Hint: The version can be found in “/etc/alpine-release”.
Answer Format: *.**.*
Answer: 3.16.0
Task 11 [ 4. Insecure Design ]
Navigate to http://MACHINE_IP:85 and get into joseph’s account. This application also has a design flaw in its password reset mechanism. Can you figure out the weakness in the proposed design and how to abuse it?
Time to once again boot up the VM, open Firefox, and make your way to http://MACHINE_IP:85. Once you get to the page you should notice that it is a login page. We want to use the information that we have so far. THM provided that the person’s name is ‘joseph”, but we don’t have a password and we are not sure if that is his username. But there is a button that says “I forgot my password…” Click it and continue on.
It will first ask the user name, “joseph” was supplied, so we are using that. Now, the question’s hint asks which is the easiest to guess from the three options. The first is an impossible task within the scope of this task and so is the last question. So we are going to be guessing colors. ROYGBIV (Red, Orange, Yellow, Green, Blue, Indigo, and Violet) is a safe place to start. I tried starting at the spelling variation of Red and finally Bingo! at “green” (it is case-sensitive). The system automatically generates a new temp password. You should write it down and/or copy and paste it. Use the information to log in.
Explore the options and make your way to private.
Open Flag.txt to get the flag and to finish the task.
Try to reset joseph’s password. Keep in mind the method used by the site to validate if you are indeed joseph.
No Answer Needed
What is the value of the flag in joseph’s account?
Hint: Is there any security question that can be easily guessed?
Answer Format: ***{*******************************}
Answer: THM{Not_3ven_c4tz_c0uld_sav3_U!}
Task 12 [5. Security Misconfiguration]
Time to boot up the machine again and head to the given website on Firefox.
Once you get there, input the following code: import os; print(os.popen("ls -l").read())
Once we use the code it will return the database directory. The first question asks for the file name for the database. The easiest way to figure out the answer is to look for the file name ending in [.db].
The next question asks you to modify the code, so you can read the contents of the app.py. It should look like this:import os; print(os.popen("cat app.py").read())
Once we enter the altered code the site returns the flag:
THM{Just_a_tiny_misconfiguration}
Navigate to http://MACHINE_IP:86/console to access the Werkzeug console.
No Answer Needed
Use the Werkzeug console to run the following Python code to execute the ls -l command on the server:
import os; print(os.popen("ls -l").read())What is the database file name (the one with the .db extension) in the current directory? Answer Format: ****.**
Answer: todo.db
Modify the code to read the contents of the app.py file, which contains the application's source code. What is the value of the secret_flag variable in the source code? Answer Format: ***{****************************}
Answer: THM{Just_a_tiny_misconfiguration}
Task 13 [ 6. Vulnerable and Outdated Components ]
Read about the vulnerability.
No Answer Needed
Task 14 [ Vulnerable and Outdated Components — Exploit ]
Read the above!
No Answer Needed
Task 15 [ Vulnerable and Outdated Components — Lab ]
This task is about exploiting outdated components. Open Firefox then head to the given site. Looking at the site we learn that this is a bookstore app. Go to the Exploit database site and search for the keywords “bookstore”.
Download the exploit [47887.py] and use the command:
python3 47887.py [insert URL] and type “y” to launch the shell. Use the command [cat /opt/flag.txt] to reveal the flag. The key to this is you already know what file you are looking for /opt/flag.txt and we know that to open it we have to use the command [cat].
What is the content of the /opt/flag.txt file?
Hint: You know it’s a bookstore application. You should check for recent unauthenticated bookstore apps RCEs.
Answer Format: ***{*********************}
Answer: THM{But_1ts_n0t_myf4ult!}
Task 16 [ 7. Identification and Authentication Failures]
I’ve understood broken authentication mechanisms.
No Answer Needed
Mark as Completed
Task 17 [ Identification and Authentication Failures Practical ]
Start up the machine and open Firefox. Then go to the given website.
register as the username “darren”, as the instructions say,
and a message will return with, “Error: This user is already registered”
Let’s try this again, but instead put a space before like this:
“ darren”
It will register “ darren’ with the same rights as “darren”, but with whatever email and password that you entered. Next login using those credentials to find the flag.
Now, let’s use the same method to access the username “arthur”.
What is the flag that you found in darren’s account?
Answer Format: ********************************
Answer: fe86079416a21a3c99937fea8874b667
Now try to do the same trick and see if you can log in as arthur.
No Answer Needed
What is the flag that you found in arthur’s account?
Answer Format: ******************
Answer: d9ac0f7db4fda460ac3edeb75d75e16e
Task 18 [ 8. Software and Data Integrity Failures]
Read the above and continue!
No Answer Needed
Task 19 [Software Integrity Failures Security misconfiguration]
This is a fairly simple and straightforward task. You can use the attack box or your own browser for this task. Open a new page and go to https://www.srihash.org/.
Input the given URL [https://code.jquery.com/jquery-1.12.4.min.js] and ensure that you’re using SHA-254.
What is the SHA-256 hash of https://code.jquery.com/jquery-1.12.4.min.js?
Answer Format: SHA256-*******************************************=
Hint: Remember you can use https://www.srihash.org/ to calculate integrity hashes for SRI.
Answer: sha256-ZosEbRLbNQzLpnKIkEdrPv7lOy9C27hHQ+Xp8a4MxAQ=
Task 20 [Data Integrity Failures]
Start your machine and attack box, then go to the site that was given http://MACHINE_IP:8089/. Once you get to the screen, attempt to log into the guest account with a random password.
You will receive a message telling you how to log in.
Once you log in it give you another message.
Press SHIFT+F12 to bring up the Developer Tools
Once you open the Dev Tools go to the Storage tab.
Open a word document. Copy the “Value” and paste the entire code to the document. It should look like this:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjg2MzIxNjI2fQ.L159cLhW34u6BYodwGSJwHftLw34J-zKQF9Xo1uYBVA
Next, you need to use the head and payload. If you recall from the task the header is up to the “.”, then the payload is up to the next “.”, don’t worry the signature we won’t need it.
Go to https://appdevtools.com/base64-encoder-decoder and DECODE the header and payload separately.
Copy and paste the decoded information and change the “HS256” to “none” in the header, then change “guest” to “admin”. Now its time to encode this information. Take the result of the two codes and combine them. It should look like this:
Copy and paste the pair into the value of the cookie.
Once you insert the code into the cookie, refresh the page to get the flag.
Try logging into the application as guest. What is guest’s account password? Answer Format: *****
Hint: Try logging in with the wrong credentials.
Answer: guest
If your login was successful, you should now have a JWT stored as a cookie in your browser. Press F12 to bring out the Developer Tools.
Depending on your browser, you will be able to edit cookies from the following tabs:
Firefox
Chrome
What is the name of the website’s cookie containing a JWT token? Answer Format: ***-*******
Answer: jwt-session
Use the knowledge gained in this task to modify the JWT token so that the application thinks you are the user “admin”.
No Answer Needed
What is the flag presented to the admin user?
Answer Format: ***{********************************}
Answer: THM{Dont_take_cookies_from_strangers}
Task 21 [9. Security Logging and Monitoring Failures]
This is a fairly simple task. Download the log file and look at the data.
Notice the IP address that reoccurs in the span of 15 seconds? That is the attack and the IP address is the answer to the first question. The next thing to notice is the different attempts. Same IP address, different login names, in 15 seconds. This is the key to question two. It is a “Brute Force” attack.
What IP address is the attacker using? Answer Format: **.**.**.**
Hint: Check for common actions in a short sequence of time.
Answer: 49.99.13.16
What kind of attack is being carried out? Answer Format: ***** *****
Hint: What do you call trying combinations of usernames and passwords to gain access to users’ accounts?
Answer: Brute Force
Task 22 [10. Server-Side Request Forgery (SSRF)]
Start the machine and the attack box, then open Firefox. Head to the given site, http://MACHINE_IP:8087/.
The first question asks for the host that is allowed in the Admin Area. to find this answer we need to navigate to that page. Look for the three bars in the upper right and click on it.
Now attempt to open the Admin Area.
Once you attempt, you will be given a message that you were denied access, because you are not the “localhost”. This is the answer to the first question.
The next question asks for the server parameter for the resume download. Go back to the home page. Hover your pointer over the bottom.
Or alternatively, you can right-click and inspect the button.
Either way, you will notice server=. “secure-file-storgage.com” is the answer that we are looking for.
The next question asks us to intercept the request via SSRF.
We are going to the link which should be similar to this:
http://10.10.182.198:8087/download?server=secure-file-storage.com:8087&id=75482342
The next step is to remove and replace it with the IP of your attack box.
Open your terminal and use the command (this is for netcat listener):
nc -lvnp 8087
Once netcat listener is open, use the altered link. Keep an eye on the terminal to get the flag.
EXTRA CREDIT (BECAUSE WHY NOT)
note: You don’t have to grab this flag to finish the room, feel free to skip this, or continue on for your own information.
We are going to work on the server’s link to get into the Admin Area.
http://10.10.182.198:8087/download?server=secure-file-storage.com:8087&id=75482342
We already know from the first question that only “localhost” has access to the area. So we are going to change the server to the localhost and admin by using “server=http://localhost:8087/admin#&id=75482342”.
The link works still, so we need to break up id. But, if you drop the “id=75482342” the link will not work. So, we have to keep the link intact while breaking the server from the id. I had to do a lot of digging for this.
I figured out that you can use a method similar to SQL injection to break up the server and id in the link (obfuscation). Some forums called it “escaping the # (hash)”. To learn more about this read here. To break up the server and id we will encode the url’s #, by changing it to %23. It should look like this:
server=http://localhost:8087/admin%23&id=75482342
Take this and insert it into the URL to get this:
http://10.10.190.86:8087/download?server=http://localhost:8087/admin%23&id=75482342
You should get the flag and feel a sense of accomplishment, because you completed an optional task that required research and persistence.
_________________________________________________________
Explore the website. What is the only host allowed to access the admin area? Answer Format: *********
Hint: Try to access the admin area. Can you find any useful info in the error messages?
Answer: localhost
Check the “Download Resume” button. Where does the server parameter point to? Answer Format: ***********************
Answer: secure-file-storage.com
Using SSRF, make the application send the request to your AttackBox instead of the secure file storage. Are there any API keys in the intercepted request? Answer Format: ***{************************}
Answer: THM{Hello_Im_just_an_API_key}
Going the Extra Mile: There’s a way to use SSRF to gain access to the site’s admin area. Can you find it?
Note: You won’t need this flag to progress in the room. You are expected to do some research in order to achieve your goal.
Mark as Completed
Task 23 [What’s Next]
Read the above!
Mark as Completed
Room is finished.
