TryHackMe: OWASP Top 10 – Walkthrough

September 11, 2023
September 11, 2023 Jasper

Hi! In this article I will cover THMs room on the OWASP top 10, a list of the most critical web security risks. Join me!

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

OWASP Top 10 Room Banner

OWASP Top 10 Room Banner

Room URL: https://tryhackme.com/room/owasptop10


Task 1: Introduction

The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. The OWASP Top 10 is a book/referential document outlining the 10 most critical security concerns for web application security. These include:

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entity
  • Broken Access Control
  • Security Misconfiguration
  • Cross-site Scripting
  • Insecure Deserialization
  • Components with Known Vulnerabilities
  • Insufficient Logging & Monitoring

Questions

Read the above.

Answer: No answer needed


Task 2: Accessing machines

Nothing to do here but accessing TryHackMe’s VPN or starting up the AttackBox.

Questions

Connect to our network or deploy the AttackBox.

Answer: No answer needed


Task 3: Severity 1 — Injection

Injection flaws are very common in applications today. These flaws occur because user controlled input is interpreted as actual commands or parameters by the application. Injection attacks depend on what technologies are being used and how exactly the input is interpreted by these technologies. Some common examples include:

  • SQL Injection: This occurs when user controlled input is passed to SQL queries. As a result, an attacker can pass in SQL queries to manipulate the outcome of such queries.
  • Command Injection: This occurs when user input is passed to system commands. As a result, an attacker is able to execute arbitrary system commands on application servers.

If an attacker is able to successfully pass input that is interpreted correctly, they would be able to do the following:

  • Access, Modify and Delete information in a database when this input is passed into database queries. This would mean that an attacker can steal sensitive information such as personal details and credentials.
  • Execute Arbitrary system commands on a server that would allow an attacker to gain access to users’ systems. This would enable them to steal sensitive data and carry out more attacks against infrastructure linked to the server on which the command is executed.

The main defence for preventing injection attacks is ensuring that user controlled input is not interpreted as queries or commands. There are different ways of doing this:

  • Using an allow list: when input is sent to the server, this input is compared to a list of safe input or characters. If the input is marked as safe, then it is processed. Otherwise, it is rejected and the application throws an error.
  • Stripping input: If the input contains dangerous characters, these characters are removed before they are processed.

Questions

I’ve understood Injection attacks.

Answer: No answer needed


Task 4: Severity 1 — OS Command Injection

Command Injection occurs when server-side code (like PHP) in a web application makes a system call on the hosting machine. It is a web vulnerability that allows an attacker to take advantage of that made system call to execute operating system commands on the server. The worst thing they could do would be to spawn a reverse shell to become the user that the web server is running as. A simple nc -e /bin/bash is all that’s needed and they own your server.

Once the attacker has a foothold on the web server, they can start the usual enumeration of your systems and start looking for ways to pivot around.  Now that we know what command injection is, we’ll start going into the different types and how to test for them.

Questions

I’ve understood command injection.

Answer: No answer needed


Task 5: Severity 1  –  Command Injection Practical

What is Active Command Injection?

Blind command injection occurs when the system command made to the server does not return the response to the user in the HTML document. Active command injection will return the response to the user. It can be made visible through several HTML elements. We know that active command injection occurs when you can see the response from the system call.

We can use these commands to answer the following questions:

Linux

  • whoami
  • id
  • ifconfig/ip addr
  • uname -a
  • ps -ef

Windows

  • whoami
  • ver
  • ipconfig
  • tasklist
  • netstat -an

To complete the questions below, navigate to http://MACHINE_IP/evilshell.php.

Questions

What strange text file is in the website root directory?

We are met by a input field which is vulnerable to command injection. Let’s see what we can do.
Let’s start looking in the root directory by entering lsin the EvilShell input text field. We get the following result:

EvilShell ls command

EvilShell ls command

The file drpepper.txt looks interesting! Note: we can actually read it by writing cat drpepper.txt.

Answer: drpepper.txt

How many non-root/non-service/non-daemon users are there?

You can find a list of all users by looking at the following command:

EvilShell reading passwd

EvilShell reading passwd

Human users have a UUID of greater than 1000, which is the third column printed out by the command. You can see that no users have a UUID of over 1000, so all users listed are root/service/daemon users.

Answer: 0

What user is this app running as?

This one is easy. Insert whoamiin the input field. The user is www-data. www-data is the user that web servers on Ubuntu (Apache, nginx, for example) use by default for normal operation

Answer: www-data

What is the user’s shell set as?

If you look at the passwd file again, you can find the following info on the current user:

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

The final “column” is the shell.

nologin shell

nologin shell

Answer: /usr/sbin/nologin

What version of Ubuntu is running?

Run the following command:

lsb_release -a
lsb_release command to get info on Linux

lsb_release command to get info on Linux

Answer: 18.04.4

Print out the MOTD. What favourite beverage is shown?

MOTD stands for Message Of The Day. A little bit of help from Google tells us that the MOTD is set in a file usually located in /etc/update-motd.d. In this file there are different headers, and the answer is hidden in the 00-header. Write cat /etc/update-motd.d/00-header in the input field and you will find the answer.

MOTD message

MOTD message

PS: Technically you could have gotten this answer by remembering the text file we found during the first question.

Answer: dr pepper


Task 6: Severity 2  – Broken Authentication

Authentication and session management constitute core components of modern web applications. Authentication allows users to gain access to web applications by verifying their identities. The most common form of authentication is using a username and password mechanism. A user would enter these credentials, the server would verify them. If they are correct, the server would then provide the users’ browser with a session cookie. A session cookie is needed because web servers use HTTP(S) to communicate which is stateless. Attaching session cookies means that the server will know who is sending what data. The server can then keep track of users’ actions.

If an attacker is able to find flaws in an authentication mechanism, they would then successfully gain access to other users’ accounts. This would allow the attacker to access sensitive data (depending on the purpose of the application). Some common flaws in authentication mechanisms include:

  • Brute force attacks: If a web application uses usernames and passwords, an attacker is able to launch brute force attacks that allow them to guess the username and passwords using multiple authentication attempts.
  • Use of weak credentials: web applications should set strong password policies. If applications allow users to set passwords such as ‘password1’ or common passwords, then an attacker is able to easily guess them and access user accounts. They can do this without brute forcing and without multiple attempts.
  • Weak Session Cookies: Session cookies are how the server keeps track of users. If session cookies contain predictable values, an attacker can set their own session cookies and access users’ accounts.

There can be various mitigation for broken authentication mechanisms depending on the exact flaw:

  • To avoid password guessing attacks, ensure the application enforces a strong password policy.
  • To avoid brute force attacks, ensure that the application enforces an automatic lockout after a certain number of attempts. This would prevent an attacker from launching more brute force attacks.
  • Implement Multi Factor Authentication — If a user has multiple methods of authentication, for example, using username and passwords and receiving a code on their mobile device, then it would be difficult for an attacker to get access to both credentials to get access to their account.

Questions

I’ve understood broken authentication mechanisms.

Answer: No answer needed


Task 7: Severity 2 – Broken Authentication Practical

For this example, we’ll be looking at a logic flaw within the authentication mechanism. A lot of times what happens is that developers forgets to sanitize the input(username & password) given by the user in the code of their application, which can make them vulnerable to attacks like SQL injection. However, we are going to focus on a vulnerability that happens because of a developer’s mistake but is very easy to exploit i.e re-registration of an existing user.

Let’s understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter “ admin”(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. That new user will also be able to see all the content presented under the user admin.

Questions

What is the flag that you found in darren’s account?

Let’s try to create a new user. We will try to use the name darren, but unfortunately we you get the following message:

User already registered

User already registered

Let’s try again with an extra whitespace before “darren”. We get registrered and if we afterwards try to login we can see we got access to darren’s profile:

Darren flag

Darren flag

What likely happened on the backend is that the developer has not checked for whitespace, and thus when loading data for “ darren”, you get to see data for “darren”.

Answer: fe86079416a21a3c99937fea8874b667

Now try to do the same trick and see if you can login as arthur.

Same as before. Create a new user with “ arthur”, and try logging in to it. Succes!

Answer: No answer needed

What is the flag that you found in arthur’s account?

We get access and see the flag.

Answer: d9acc0f7db4fda460ac3edeb75d75e16e


Task 8: Severity 3 – Sensitive Data Exposure  – Introduction

When a webapp accidentally divulges sensitive data, we refer to it as “Sensitive Data Exposure”. This is often data directly linked to customers (e.g. names, dates-of-birth, financial information, etc.), but could also be more technical information, such as usernames and passwords. At more complex levels this often involves techniques such as a “Man in The Middle Attack”, whereby the attacker would force user connections through a device which they control, then take advantage of weak encryption on any transmitted data to gain access to the intercepted information (if the data is even encrypted in the first place…).

The web application in this box contains one such vulnerability. Deploy the machine, then read through the supporting material in the following tasks as the box boots up.

Questions

Read the introduction to Sensitive Data Exposure and deploy the machine.

Answer: No answer needed.


Task 9: Severity 3 – Sensitive Data Exposure  – Supporting Material 1

The most common way to store a large amount of data in a format that is easily accessible from many locations at once is in a database. This is obviously perfect for something like a web application, as there may be many users interacting with the website at any one time. Database engines usually follow the Structured Query Language (SQL) syntax; however, alternative formats (such as NoSQL) are rising in popularity.

In a production environment it is common to see databases set up on dedicated servers, running a database service such as MySQL or MariaDB; however, databases can also be stored as files. These databases are referred to as “flat-file” databases, as they are stored as a single file on the computer. Usually this would not be a problem for a webapp, but what happens if the database is stored underneath the root directory of the website (i.e. one of the files that a user connecting to the website is able to access)? Well, we can download it and query it on our own machine, with full access to everything in the database. Sensitive Data Exposure indeed!

The most common (and simplest) format of flat-file database is an sqlite database. These can be interacted with in most programming languages, and have a dedicated client for querying them on the command line. This client is called “sqlite3”, and is installed by default on Kali.

Let’s suppose we have successfully managed to download a database. To access it we use: sqlite3 <database-name>.

From here we can see the tables in the database by using the .tables command:

At this point we can dump all of the data from the table, but we won’t necessarily know what each column means unless we look at the table information. First let’s use PRAGMA table_info(customers); to see the table information, then we’ll use SELECT * FROM customers; to dump the information from the table:

Questions

Read and understand the supporting material on SQLite Databases.

Answer: No answer needed.


Task 10: Severity 3 – Sensitive Data Exposure  –  Supporting Material 2

In the previous task we saw how to query an SQLite database for sensitive data. We found a collection of password hashes, one for each user. In this task we will briefly cover how to crack these. When it comes to hash cracking, Kali comes pre-installed with various tools.

Instead we will be using the online tool: Crackstation. This website is extremely good at cracking weak password hashes. For more complicated hashes we would need more sophisticated tools; however, all of the crackable password hashes used in today’s challenge are weak MD5 hashes, which Crackstation should handle very nicely indeed.

It’s worth noting that Crackstation works using a massive wordlist. If the password is not in the wordlist then Crackstation will not be able to break the hash.

Questions

Read the supporting material about cracking hashes.

Answer: No answer needed.


Task 11: Severity 3  – Sensitive Data Exposure (Challenge)

It’s now time to put what you’ve learnt into practice!

Questions

Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory. What is the name of the mentioned directory?

If you look in the source code for the webapp you can find the following message:

Sensitive data source code

Sensitive data source code

Answer: /assets

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Navigate to the directory by adding /assets after the machines IP address.

Taking a look at the assets directory

Taking a look at the assets directory

webapp.db sure looks interesting!

Answer: webapp.db

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Download the database file, open your terminal, and access the database by writing sqlite3 webapp.db. Proceed by entering .tables to list all tables in the database. Then write PRAGMA table_info(users) to see the columns of the users table.

Printing the columns of the user table

Printing the columns of the user table

Finally write the following SQL query to select all rows from the user table:

SELECT * FROM users;

SELECTing all users

SELECTing all users

We have gotten access to usernames and hashed passwords.

Answer: 6eea9b7ef19179a06954edd0f6c05ceb

Crack the hash. What is the admin’s plaintext password?

To get the answer to this question we can use https://crackstation.net/.

Enter the hashed password and let the website run. You should get the answer quickly! Spoiler: it’s very insecure!

Answer: qwertyuiop

Login as the admin. What is the flag?

Go back to the webapp and enter the initials.

Logging in as the admin

Logging in as the admin

And we got access once more!

We found the admin flag!

We found the admin flag!

Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}


Task 12: Severity 4  - XML External Entity

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.

There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
1) An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.

2) out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.

Questions

Deploy the machine attached to the task.

Answer: No answer needed.


Task 13: Severity 4 –  XML External Entity –  eXtensible Markup Language

What is XML?

XML (eXtensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a markup language used for storing and transporting data.

Syntax

Every XML document mostly starts with what is known as XML Prolog.

<?xml version="1.0" encoding="UTF-8"?>

The above line is called XML prolog and it specifies the XML version and the encoding used in the XML document. This line is not compulsory to use but it is considered a `good practice` to put that line in all your XML documents.

Every XML document must contain a `ROOT` element. For example:

<?xml version="1.0" encoding="UTF-8"?>
<mail>
    <to>falcon</to>
    <from>feast</from>
    <subject>About XXE</subject>
    <text>Teach about XXE</text>
</mail>

In the above example the <mail> is the ROOT element of that document and <to>, <from>, <subject>, <text> are the children elements. If the XML document doesn’t have any root element then it would be consideredwrong or invalid XML doc.

Questions

Full form of XML

XML stands for Extensible Markup Language

Answer: extensible markup language

Is it compulsory to have XML prolog in XML documents?

This is not required, but strongly encouraged!

Answer: No

Can we validate XML documents against a schema?

Yes, of course we can. That is the whole point of a markup language.

Answer: Yes

How can we specify XML version and encoding in XML document?

We do this in the line that looks like this:

<?xml version="1.0" encoding="UTF-8"?>

We can this a XML prolog.

Answer: XML prolog


Task 14: Severity 4  – XML External Entity  –  DTD

Before we move on to start learning about XXE we’ll have to understand what is DTD in XML. DTD stands for Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document.

Let us try to understand this with the help of an example. Say we have a file named note.dtd with the following content:

<!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>

Now we can use this DTD to validate the information of some XML document and make sure that the XML file conforms to the rules of that DTD.

Ex: Below is given an XML document that uses note.dtd

<?xml version=”1.0" encoding=”UTF-8"?>
<!DOCTYPE note SYSTEM “note.dtd”>
<note>
<to>falcon</to>
<from>feast</from>
<heading>hacking</heading>
<body>XXE attack</body>
</note>

So now let’s understand how that DTD validates the XML. Here’s what all those terms used in note.dtd mean

  • !DOCTYPE note — Defines a root element of the document named note
  • !ELEMENT note — Defines that the note element must contain the elements: “to, from, heading, body”
  • !ELEMENT to — Defines the to element to be of type “#PCDATA”
  • !ELEMENT from — Defines the from element to be of type “#PCDATA”
  • !ELEMENT heading — Defines the heading element to be of type “#PCDATA”
  • !ELEMENT body — Defines the body element to be of type “#PCDATA”

NOTE: #PCDATA means parseable character data.

Questions

How do you define a new ELEMENT?

Answer: !ELEMENT

How do you define a ROOT element?

Answer: !DOCTYPE

How do you define a new ENTITY?

Answer: !ENTITY


Task 15: Severity 4 - XML External Entity - XXE Payload

Now we’ll see some XXE payload and see how they are working.

1) The first payload we’ll see is very simple. If you’ve read the previous task properly then you’ll understand this payload very easily.

<!DOCTYPE replace [<!ENTITY name "feast"> ]>
<userInfo>
    <firstName>falcon</firstName>
    <lastName>&name;</lastName>
</userInfo>

As we can see we are defining a ENTITY called name and assigning it a value feast. Later we are using that ENTITY in our code.

2) We can also use XXE to read some file from the system by defining an ENTITY and having it use the SYSTEM keyword.

Reading passwd file through XXE

Reading passwd file through XXE

Here again, we are defining an ENTITY with the name read but the difference is that we are setting it value to `SYSTEM` and path of the file.

If we use this payload then a website vulnerable to XXE(normally) would display the content of the file etc/passwd.

Questions

Try the payload mentioned in description on the website.

Answer: No answer needed.


Task 16: Severity 4 - XML External Entity — Exploiting

Now let us see some payloads in action. The payload that I’ll be using are the ones we saw in the previous task.

Questions

Try to display your own name using any payload.

I slightly adjusted the payload from the previous task:

<!DOCTYPE replace [<!ENTITY name “Jasper Alblas”> ]>
<userInfo>
    <name>&name;</name>
</userInfo>
Printing my name with XXE

Printing my name with XXE

It basically declares a a new entity called name and sets it to my name. Then we use it inside the userInfo and name XML tags.

Answer: No answer needed.

See if you can read the etc/passwd.

Yes we can:

XXE Attack

XXE Attack

I used the following example:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM "file:///etc/passwd">]> 
<root>&read;</root>

We set a new entity, and set it equals to the output from reading the passwd file. Afterwards we display this inside a root XML tag.

Answer: No answer needed.

What is the name of the user in etc/passwd.

If you know a little about the passwd file, it gives the following information about each user:

  • User name.
  • Encrypted password.
  • User ID number (UID)
  • User’s group ID number (GID)
  • Full name of the user (GECOS)
  • User home directory.
  • Login shell.

The important thing about the UID is that real users have a UID that is higher than 1000. In the bottom of the output we have the following line:

falcon:x:1000:1000:falcon,,,:/home/falcon:/bin/bash

Answer: falcon

Where is falcon’s SSH key located?

We know falcon’s home directory is located at /home/falcon. SSH keys are found within the .ssh directory within the home directory, and the private key is called id_rsa.

Answer: /home/falcon/.ssh/id_rsa

What are the first 18 characters for falcon’s private key?

We can use a similar XXE payload as when we read the passwd file, but this time change it to read the id_rsa key:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM "file:///home/falcon/.ssh/id_rsa">]> 
<root>&read;</root>
Reading the private key

Reading the private key

Answer: MIIEogIBAAKCAQEA7b


Task 17: Severity 5 –  Broken Access Control

Websites have pages that are protected from regular visitors, for example only the site’s admin user should be able to access a page to manage other users. If a website visitor is able to access the protected page/pages that they are not authorised to view, the access controls are broken.

A regular visitor being able to access protected pages, can lead to the following:

  • Being able to view sensitive information
  • Accessing unauthorized functionality

OWASP have a listed a few attack scenarios demonstrating access control weaknesses:

Scenario #1: The application uses unverified data in a SQL call that is accessing account information. An attacker simply modifies the ‘acct’ parameter in the browser to send whatever account number they want.

http://example.com/app/accountInfo?acct=notmyacct

Scenario #2: An attacker simply force browses to target URLs. Admin rights are required for access to the admin page.

http://example.com/app/admin_getappInfo

To put simply, broken access control allows attackers to bypass authorization which can allow them to view sensitive data or perform tasks as if they were a privileged user.

Questions

Read and understand how broken access control works.

Answer: No answer needed


Task 18: Severity 5  - Broken Access Control (IDOR Challenge)

IDOR, or Insecure Direct Object Reference, is the act of exploiting a misconfiguration in the way user input is handled, to access resources you wouldn’t ordinarily be able to access. IDOR is a type of access control vulnerability.

For example, let’s say we’re logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234.

There is however a potentially huge problem here, a hacker may be able to change the account_number parameter to something else like 1235, and if the site is incorrectly configured, then he would have access to someone else’s bank information.

Questions

Read and understand how IDOR works.

Answer: No answer needed

Deploy the machine and go to http://MACHINE_IP — Login with the username being noot and the password test1234.

Answer: No answer needed

Look at other users notes. What is the flag?

Log in with the username noot and password test1234.

Logged in as noot

Logged in as noot

You will see that there is a GET parameter set in the url called note. Let’s see if we can access other users’ notes by changing this value. When we change it to 0 we get the following answer:

Found note 0 flag

Found note 0 flag

Answer: flag{fivefourthree}


Task 19: Severity 6 – Security Misconfiguration

Security Misconfigurations are distinct from the other Top 10 vulnerabilities, because they occur when security could have been configured properly but was not.

Security misconfigurations include:

  • Poorly configured permissions on cloud services, like S3 buckets
  • Having unnecessary features enabled, like services, pages, accounts or privileges
  • Default accounts with unchanged passwords
  • Error messages that are overly detailed and allow an attacker to find out more about the system
  • Not using HTTP security headers, or revealing too much detail in the Server: HTTP header

This vulnerability can often lead to more vulnerabilities, such as default credentials giving you access to sensitive data, XXE or command injection on admin pages.

Default Passwords

Specifically, this VM focusses on default passwords. These are a specific example of a security misconfiguration. You could, and should, change any default passwords but people often don’t.

It’s particularly common in embedded and Internet of Things devices, and much of the time the owners don’t change these passwords.

Questions

Deploy the VM

Answer: No answer needed

Hack into the webapp, and find the flag!

Visit the webapp in your browser:

Logging into Pensive

Logging into Pensive

Now we need to try different initials to gain access. I have to admit, this took me some time to figure out. I first started looking into the source code in the browser but I could not find anything there.

But if you google Pensive Notes you get to the following Github repository:

https://github.com/NinjaJc01/PensiveNotes

In the documentation the following is written:

Pensive notes

Pensive notes

Let’s use these default credentials. And YAY, we got access:

Succesfully logged in to Pensive

Succesfully logged in to Pensive

Answer: thm{4b9513968fd564a87b28aa1f9d672e17}


Task 20: Severity 7  –  Cross-site scripting

Cross-site scripting, also known as XSS is a security vulnerability typically found in web applications. It’s a type of injection which can allow an attacker to execute malicious scripts and have it execute on a victim’s machine. A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS. There are three main types of cross-site scripting:

  1. Stored XSS — the most dangerous type of XSS. This is where a malicious string originates from the website’s database. This often happens when a website allows user input that is not sanitised (remove the “bad parts” of a users input) when inserted into the database.
  2. Reflected XSS — the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.
  3. DOM-Based XSS — DOM stands for Document Object Model and is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content.

XSS Payloads

Remember, cross-site scripting is a vulnerability that can be exploited to execute malicious Javascript on a victim’s machine. Check out some common payloads types used:

  • Popup’s (<script>alert(“Hello World”)</script>) — Creates a Hello World message popup on a users browser.
  • Writing HTML (document.write) — Override the website’s HTML to add your own (essentially defacing the entire page).
  • XSS Keylogger — You can log all keystrokes of a user, capturing sensitive information they type into the webpage.
  • Port scanning — A mini local port scanner (more information on this is covered in the TryHackMe XSS room).

XSS-Payloads.com (http://www.xss-payloads.com/) is a website that has XSS related Payloads, Tools, Documentation and more.

Questions

Deploy the VM

Answer: No answer needed

Navigate to http://MACHINE_IP/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.

Click on the “Reflective XSS” tab:

Reflective XSS

Reflective XSS

Let’s enter a XSS payload in the search field like so:

Entering the XSS payload

Entering the XSS payload

All we are doing is entered some simple Javascript into the field and this gets output. This works because you can see in the source code that your payload is executed directly on the webpage.
<h6>You searched for: [Your input will be input directly in here]</h6>

The alert box pops up:

Alert Box triggered

Alert Box triggered

Followed by the flag:

Alert Box printing the flag

Alert Box printing the flag

Answer: ThereIsMoreToXSSThanYouThink

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

They payload you should insert is the following:

<script>alert(window.location.hostname)</script>

This gives the following popups:

Popup with IP

Popup with IP

Popup with flag

Popup with flag

Answer: ReflectiveXss4TheWin

Now navigate to http://MACHINE_IP/ in your browser and click on the “Stored XSS” tab on the navbar; make an account. Then add a comment and see if you can insert some of your own HTML.

Move to the “stored XXS tab”. Register a new user with initials you decide yourself and login to get to the following screen:

Stored XSS challenge

I opted to add the following HTML:

Adding comment with bold tags

Adding comment with bold tags

This works, as you can see in the last comment, so we can add HTML to the page!

Answer: HTML_T4gs

On the same page, create an alert popup box appear on the page with your document cookies.

You can access your cookie through javascript like follows:

<script>alert(document.cookie)</script>

Entering this script in the comment input and submitting makes the following info pop up:

Cookie info popup

Cookie info popup

Followed by:

Popup with flag 2

Popup with flag 2

Answer: W3LL_D0N3_LVL2

Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

If you look at the source code, the “XSS Playground” text has an id set to ‘thm-title’.

XSS Playground span tag

XSS Playground span tag

In Javascript we can change the text contents of a tag with a id like this:

document.getElementById(id).innerHTML = “I am a hacker”

Enter this into the input field and you get the result:

Stored XSS flag 3

Stored XSS flag 3

Answer: websites_can_be_easily_defaced_with_xss


Task 21: Severity 8 – Insecure Deserialisation

Insecure deserialisation is replacing data processed by an application with malicious code; allowing anything from DoS (Denial of Service) to RCE (Remote Code Execution) that the attacker can use to gain a foothold in a pentesting scenario. Specifically, this malicious code leverages the legitimate serialisation and deserialisation process used by web applications. We’ll be explaining this process and why it is so commonplace in modern web applications.

What’s Vulnerable?

At summary, ultimately, any application that stores or fetches data where there are no validations or integrity checks in place for the data queried or retained. A few examples of applications of this nature are:

– E-Commerce Sites
– Forums
– API’s
– Application Runtimes (Tomcat, Jenkins, Jboss, etc)

Questions

Who developed the Tomcat application?

Answer: The Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialisation?

Answer: Denial Of Service


Task 22: Severity 8 – Insecure Deserialization - Objects

A prominent element of object-oriented programming (OOP), objects are made up of two things:

  • State
  • Behaviour

Simply, objects allow you to create similar lines of code without having to do the leg-work of writing the same lines of code again.

For example, a lamp would be a good object. Lamps can have different types of bulbs, this would be their state, as well as being either turned on/off — their behaviour!

Questions

Select the correct term of the following statement: if a dog was sleeping, would this be:

A) A State
B)
A Behaviour

A dog’s number of legs would be a state, in other words a property. Sleeping is a function and therefore a behaviour.

Answer: a behaviour


Task 23: Severity 8 – Insecure Deserialization - Deserialization

Serialisation is the process of converting objects used in programming into simpler, compatible formatting for transmitting between systems or networks for further processing or storage. Alternatively, deserialisation is the reverse of this; converting serialised information into their complex form — an object that the application will understand.

What does this mean?

Say you have a password of “password123” from a program that needs to be stored in a database on another system. To travel across a network this string/output needs to be converted to binary. Of course, the password needs to be stored as “password123” and not its binary notation. Once this reaches the database, it is converted or deserialised back into “password123” so it can be stored.

How can we leverage this?

Simply, insecure deserialization occurs when data from an untrusted party gets executed because there is no filtering or input validation; the system assumes that the data is trustworthy and will execute it no holds barred.

Questions

What is the name of the base-2 formatting that data is sent across a network as?

Base-2 means two possible values: ones and zeroes. We call this formatting binary!

Answer: binary


Task 24: Severity 8 – Insecure Deserialization – Cookies

Cookies are an essential tool for modern websites to function. Tiny pieces of data, these are created by a website and stored on the user’s computer. Websites use these cookies to store user-specific behaviours like items in their shopping cart or session IDs.

Whilst plaintext credentials is a vulnerability in itself, it is not insecure deserialisation as we have not sent any serialised data to be executed!

Cookies are not permanent storage solutions like databases. Some cookies such as session ID’s will clear when the browser is closed, others, however, last considerably longer. This is determined by the “Expiry” timer that is set when the cookie is created.

Some cookies have additional attributes, a small list of these are below:

AttributeDescriptionRequired?
Cookie NameThe Name of the Cookie to be setYes
Cookie ValueValue, this can be anything plaintext or encodedYes
Secure OnlyIf set, this cookie will only be set over HTTPS connectionsNo
ExpirySet a timestamp where the cookie will be removed from the browserNo
PathThe cookie will only be sent if the specified URL is within the requestNo

Questions

If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

This question is simple. The path must match the specified URL within the request, so it is equal to the cookie path here.

Answer: webapp.com/login

What is the acronym for the web technology that Secure cookies work over?

The answer here is Hypertext Transfer Protocol Secure (HTTPS), which is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL).

Answer: HTTPS


Task 25: Severity 8 – Insecure Deserialization  –  Cookies Practical

Navigate to the ip of the target machine.

Let’s create an account. No need to enter your TryHackMe details, you can enter what you like. Afterwards login and you will be directed to your profile page. Right-Click the Page and press Inspect Element. Navigate to the Storage tab. Here you can see the cookies:

Looking at the cookies

Looking at the cookies

Inspecting Encoded Data

You will see here that there are cookies are both plaintext encoded and base64 encoded. The first flag will be found in one of these cookies. Notice here that you have a cookie named “userType”. You are currently a user, as confirmed by your information on the “myprofile” page. This application determines what you can and cannot see by your userType. What if you wanted to be come an admin?

Double left-click the Value column of userType to modify the contents. Let’s change our userType to admin and navigate to http://<target ip>/admin to answer the second flag.

Questions

1st flag (cookie value)

There is a value for sessionId, but it is base64 encoded.

sessionId cookie value (base64 encoded)

The value is: gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAMDhkN2NhZDgyZmQ2NDg5MDg2OTNjN2QwYTU3ZWFiMmNxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==

You can enter it on the following website to decode it (make sure to select decode):

https://www.base64encode.org/

Answer: THM{good_old_base64_huh}

2nd flag (admin dashboard)

Make sure you edited the value of the userType cookie to admin:

userType admin

userType admin

Visit the admin page. Here you will find the answer.

Answer: THM{heres_the_admin_flag}


Task 26: SEV 8 – Insecure Deserialization –  Code Execution

1. First, change the value of the userType cookie from admin to user and return to http://<ip>/myprofile.

2. Then, left-click on the URL in Exhange your vim.

3. Once you have done this, left-click on the URL in Provide your feedback! where you will be directed to a page with a form.

What makes this form vulnerable?

If a user was to enter their feedback, the data will get encoded and sent to the Flask application (presumably for storage within a database for example). However, the application assumes that any data encoded is trustworthy.

The Exploit

First, we need to set up a netcat listener on our Kali.

Setting up a netcat listener

Setting up a netcat listener

Because the code being deserialised is from a base64 format, we cannot just simply spawn a reverse shell. We must encode our own commands in base64 so that the malicious code will be executed.

We can do this using the code found here: copy-and-paste the source code from this python file (pickelme.py). All this script does is basicly creating the script for a reverse shell, and base64 encoding it afterwards. Let’s take it into steps:

1. Create a python file to paste into, I have used rce.py for these examples. Paste the codefrom Github into your file. Alternatively you can download the source code file and modify that file itself in the next step.

2. Replace YOUR_TRYHACKME_VPN_IP with your TryHackMe VPN IP from the access page.

3. Execute rce.py via python3 rce.py

4. Note the base64 encoded output of the command, it will look something similar to this:

Script base64 encoded output

Script base64 encoded output

5. Copy and paste everything in-between the two quotation marks.

6. Paste this into the encodedPayload cookie in your browser:

Updating the encodedPayload value

Updating the encodedPayload value

7. Ensure our netcat listener is still running. Reminder: nc -lvnp 4444

8. Refresh the page. It will freeze. Now refer back to your netcat listener:

Receiving the shell

Receiving the shell

If you have performed the steps correctly, you will now have a remote shell to your instance. No privilege escalation involved. It is time to look for the flag.txt flag!

Questions

flag.txt

Follow all the steps. Setup the netcat listener, create a python file, insert the code from Github, paste in your attacking machine ip, run the script, and insert the output in the “encodedPayload” cookie. This will give you a remote shell to the instance. Go up a level, and you will find the flag.txt file.

Finding the flag

Finding the flag

Answer: 4a69a7ff9fd68


Task 27: Severity 9 – Components With Known Vulnerabilities – Intro

Occasionally, you may find that the company/entity that you’re pen-testing is using a program that already has a well documented vulnerability.

For example, let’s say that a company hasn’t updated their version of WordPress for a few years, and using a tool such as wpscan, you find that it’s version 4.6. Some quick research will reveal that WordPress 4.6 is vulnerable to an unauthenticated remote code execution(RCE) exploit, and even better you can find an exploit already made on exploit-db.

As you can see this would be quite devastating, because it requires very little work on the part of the attacker as often times since the vulnerability is already well known, someone else has made an exploit for the vulnerability. The situation becomes even worse when you realize, that it’s really quite easy for this to happen, if a company misses a single update for a program they use, they could be vulnerable to any number of attacks.

Questions

Read above.

Answer: No answer needed.


Task 28: Severity 9  –  Components With Known Vulnerabilities  –  Exploit

Recall that since this is about known vulnerabilities, most of the work has already been done for us. Our main job is to find out the information of the software, and research it until we can find an exploit. Let’s go through that with an example web application.

The server is using the default page for the nostromo web server. Now that we have a version number and a software name, we can use exploit-db to try and find an exploit for this particular version.

(Note: exploit-db is incredibly useful, and for all you beginners you’re gonna be using this a lot so it’s best to get comfortable with it)

Finding nostromo exploit

Finding nostromo exploit

Lucky us, the top result happens to be an exploit script. Let’s download it and try and to get code execution. Fortunately for us, the error was caused by an line that should have been commented, so it’s an easy fix. Fixing that, let’s try and run the program again.

Boom! We have RCE. Now it’s important to note here that most scripts will just tell you what arguments you need to provide, exploit developers will rarely make you read potentially hundreds of lines of codes just to figure out how to use the script.

Questions

Read the above!

Answer: No answer needed.


Task 29: Severity 9  –  Components With Known Vulnerabilities - Lab

The following is a vulnerable application, all information you need to exploit it can be found online.

Questions

How many characters are in / etc/passwd?

Visit the web app in the browser.

Welcome to CSE Bookstore

Welcome to CSE Bookstore

So it is a CSE bookstore app. Go to exploit-db, search for bookstore and you will find the following exploit:

https://www.exploit-db.com/exploits/48960

It mentions a admin.php page on which you can login with:

Name: admin
Pass: %' or '1'='1

You now have admin access!

BUT…

We need to get access to the passwd file. There is another exploit that might help:

https://www.exploit-db.com/exploits/48973

This requires us to add some books to our shopping cart (click on a book on the front page), and visit cart.php afterwards.

Shopping card

Shopping card

Here we can insert payloads in the quantity field:

"><svg/onload=alert(5)>
Alert popup

Alert popup

We could try listing directories by entering system commands here.
But there is another exploit which will make things easier:

https://www.exploit-db.com/exploits/47887

Let’s download the script and run it in the terminal.

wget https://www.exploit-db.com/exploits/47887
Downloading the script

Downloading the script

Try running the script:

python3 47887.py
Missing argument

Missing argument

If you run it as is, we are missing a url parameter. Let’s add it and see if it runs.

The exploit worked

Heck yes!

Now all we need it to run the command mentioned in the question. This uses the word count function, but with the -c flag it counts characters instead.

Printing the character count of the passwd file

Printing the character count of the passwd file

Answer: 1611


Task 30: Severity 10 – Insufficient Logging and Monitoring

When web applications are set up, every action performed by the user should be logged. Logging is important because in the event of an incident, the attackers actions can be traced. Once their actions are traced, their risk and impact can be determined. Without logging, there would be no way to tell what actions an attacker performed if they gain access to particular web applications. The bigger impacts of these include:

  • regulatory damage: if an attacker has gained access to personally identifiable user information and there is no record of this, not only are users of the application affected, but the application owners may be subject to fines or more severe actions depending on regulations.
  • risk of further attacks: without logging, the presence of an attacker may be undetected. This could allow an attacker to launch further attacks against web application owners by stealing credentials, attacking infrastructure and more.

The information stored in logs should include:

  • HTTP status codes
  • Time Stamps
  • Usernames
  • API endpoints/page locations
  • IP addresses

These logs do have some sensitive information on them so its important to ensure that logs are stored securely and multiple copies of these logs are stored at different locations.

As you may have noticed, logging is more important after a breach or incident has occurred. The ideal case is having monitoring in place to detect any suspicious activity. The aim of detecting this suspicious activity is to either stop the attacker completely or reduce the impact they’ve made if their presence has been detected much later than anticipated. Common examples of suspicious activity includes:

  • multiple unauthorised attempts for a particular action (usually authentication attempts or access to unauthorised resources e.g. admin pages)
  • requests from anomalous IP addresses or locations: while this can indicate that someone else is trying to access a particular user’s account, it can also have a false positive rate.
  • use of automated tools: particular automated tooling can be easily identifiable e.g. using the value of User-Agent headers or the speed of requests. This can indicate an attacker is using automated tooling.
  • common payloads: in web applications, it’s common for attackers to use Cross Site Scripting (XSS) payloads. Detecting the use of these payloads can indicate the presence of someone conducting unauthorised/malicious testing on applications.

Just detecting suspicious activity isn’t helpful. This suspicious activity needs to be rated according to the impact level. For example, certain actions will higher impact than others. These higher impact actions need to be responded to sooner thus they should raise an alarm which raises the attention of the relevant party.

Questions

What IP address is the attacker using?

This one is easy. If you look in the login-logs.txt file you can see 4 entries with the same ip address, returning a 401 (unauthorized). This must be someone trying different usernames to get into the system!

login-logs file

login-logs file

Answer: 49.99.13.16

What kind of attack is being carried out?

It looks like a brute force attacks, in which different combinations of usernames/passwords are being run within a short time span.

Answer: brute force


Task 31 (What’s next?)

Nothing to do but celebrate our progress! Great job on getting through 31 tasks. This toom me a while to write so thanks for reading!


Like my articles?

I would be so grateful if you support me by buying me a cup of coffee:

Buy me a coffee

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

, , , , , , , , , , , , , ,