THM | OWASP Top 10 - 2021
Web Hacking Fundamentals | OWASP Top 10 - 2021 | Summary:
This series of walkthroughs aims to help out complete beginners with finishing the Complete Beginner path on the TryHackMe website. It is based on the learning content provided in the OWASP Top 10 - 2021 room.
Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.
Task | 01 | Introduction
Question 1: Read the above.
No answer needed
Task | 02 | Accessing Machines
Question 1: Connect to our network or deploy the AttackBox.
No answer needed
Task | 03 | 1. Broken Access Control
Question 1: Read and understand what broken access control is.
No answer needed
Task | 04 | Broken Access Control (IDOR Challenge)
Question 1: Read and understand how IDOR works.
No answer needed
Question 2: Deploy the machine and go to http://<MACHINE_IP> - Login with the username noot and the password test1234.
No answer needed
Question 3: Look at other users' notes. What is the flag?
<flag>
Task | 05 | 2. Cryptographic Failures
Question 1: Read the introduction to Cryptographic Failures and deploy the machine.
No answer needed
Task | 06 | Cryptographic Failures (Supporting Material 1)
Question 1: Read and understand the supporting material on SQLite Databases.
No answer needed
Task | 07 | Cryptographic Failures (Supporting Material 2)
Question 1: Read the supporting material about cracking hashes.
No answer needed
Task | 08 | Cryptographic Failures (Challenge)
Question 1: Have a look around the web app. The developer has left themselves a note indicating that there is sensitive data in a specific directory. What is the name of the mentioned directory?
/assets
Question 2: Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
webapp.db
Question 3: Use the supporting material to access the sensitive data. What is the password hash of the admin user?
6eea9b7ef19179a06954edd0f6c05ceb
Question 4: Crack the hash. What is the admin's plaintext password?
qwertyuiop
Question 5: Log in as the admin. What is the flag?
<flag>
Task | 09 | 3. Injection
Question 1: I've understood Injection attacks.
No answer needed
Task | 10 | 3.1. Command Injection
Question 1: What strange text file is in the website's root directory?
drpepper.txt
Question 2: How many non-root/non-service/non-daemon users are there?
0
Question 3: What user is this app running as?
apache
Question 4: What is the user's shell set as?
/sbin/nologin
Question 5: What version of Alpine Linux is running?
3.16.0
Task | 11 | 4. Insecure Design
Question 1: Try to reset joseph's password. Keep in mind the method used by the site to validate if you are indeed joseph.
No answer needed
Question 2: What is the value of the flag in joseph's account?
<flag>
Task | 12 | 5. Security Misconfiguration
Question 1: Navigate to http://<MACHINE_IP>:86/console to access the Werkzeug console.
No answer needed
Question 2: Use the Werkzeug console to run the following Python code to execute the ls -l command on the server: import os; print(os.popen("ls -l").read()). What is the database file name (the one with the .db extension) in the current directory?
todo.db
Question 3: Modify the code to read the contents of the app.py file, which contains the application's source code. What is the value of the secret_flag variable in the source code?
<flag>
Task | 13 | 6. Vulnerable and Outdated Components
Question 1: Read about the vulnerability.
No answer needed
Task | 14 | Vulnerable and Outdated Components - Exploit
Question 1: Read the above!
No answer needed
Task | 15 | Vulnerable and Outdated Components - Lab
Question 1: What is the content of the /opt/flag.txt file?
<flag>
Task | 16 | 7. Identification and Authentication Failures
Question 1: I've understood broken authentication mechanisms.
No answer needed
Task | 17 | Identification and Authentication Failures Practical
Question 1: What is the flag that you found in darren's account?
<flag>
Question 2: Now try to do the same trick and see if you can log in as arthur.
No answer needed
Question 3: What is the flag that you found in arthur's account?
<flag>
Task | 18 | 8. Software and Data Integrity Failures
Question 1: Read the above and continue!
No answer needed
Task | 19 | Software Integrity Failures
Question 1: What is the SHA-256 hash of https://code.jquery.com/jquery-1.12.4.min.js?
sha256-ZosEbRLbNQzLpnKIkEdrPv7lOy9C27hHQ+Xp8a4MxAQ=
Task | 20 | Data Integrity Failures
Question 1: Try logging into the application as guest. What is guest's account password?
guest
Question 2: What is the name of the website's cookie containing a JWT token?
jwt-session
Question 3: Use the knowledge gained in this task to modify the JWT token so that the application thinks you are the user "admin".
No answer needed
Question 4: What is the flag presented to the admin user?
<flag>
Task | 21 | 9. Security Logging and Monitoring Failures
Question 1: What IP address is the attacker using?
49.99.13.16
Question 2: What kind of attack is being carried out?
Brute Force
Task | 22 | 10. Server-Side Request Forgery (SSRF)
Question 1: Explore the website. What is the only host allowed to access the admin area?
localhost
Question 2: Check the "Download Resume" button. Where does the server parameter point to?
secure-file-storage.com
Question 3: Using SSRF, make the application send the request to your AttackBox instead of the secure file storage. Are there any API keys in the intercepted request?
<flag>
Question 4: Going the Extra Mile: There's a way to use SSRF to gain access to the site's admin area. Can you find it?
- Note: You won't need this flag to progress in the room. You are expected to do some research in order to achieve your goal.
No answer needed
Task | 23 | What Next?
Question 1: Read the above!
No answer needed