THM Room: OWASP Top 10 Answers
Last updated
Last updated
Just information you can read and solve on your own.
This is found by seeing the lsb-release file in the /etc/ directory
This is found in this command "locate motd" They show you a list of file that has this name but in the Question hint we have "00-header" and one of the files have this name so just cat/view the content of that file and you found that answer
Just follow the mentioned instruction in the task
Repeat the same process
[Severity 3] Sensitive Data Exposure (Challenge)Read the source of the login page of the website there is a comment by the developer
As we learned in the previous section about the "flat_file" database that is stored in the disk of the computer
This is found by following the previously mentioned step for assessing the database file and how to dump the file just replace the name of the database in the command with the user's directory in the database
Go to the crackstation website and paste the hash and they give you the password
Login with the username admin and password qwertyuiop in the website and your login into the admin account and they give you the flag
[Severity 4] XML External Entity - Exploiting[Severity 5] Broken Access Control (IDOR Challenge)This can be found by changing the value of the parameter to 0 like this http://{machine IP}/note.php?note=0
This can be found by first searching for the webapp name on Google they show you the GitHub page for this webapp There you will find the default username and password
[Severity 7] Cross-site ScriptingFirst, you have to register your account in the webapp and then you have to go to the reflected xss tab in the browser you find it on the menu bar on top and there you have to paste the payload that is described previously and that is
payload = <script>alert(βHello Worldβ)</script>
This can be found by using the script describes in the hint and are following
<script>alert(window.location.hostname)</script>
Hint: In JavaScript window.location.hostname will show your hostname, in this case, your deployed machine's hostname will be its IP.
That will do the trick.
This will be done by using some html tag on the comment box and they will do the trick using the following HTML Code or take this as a reference Code:
This is the HTML code that does the trick for me.
This flag can be found by adding a script in the comment called "document.cookie" This will popup the cookie as an alert
script : <script>alert(document.cookie)</script>
This will do the trick
We get this flag by using the hint script in the comment box and they will show the answer on the page after question no 3
script : <script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
[Severity 8] Insecure DeserializationThis will find by google tomcat developer and they show the name and also see the Tomcat wiki Note This is the company name, not the person's name
[Severity 8] Insecure Deserialization - Objects[Severity 8] Insecure Deserialization - Deserialization[Severity 8] Insecure Deserialization - Cookies[Severity 8] Insecure Deserialization - Cookies PracticalThis will be found by going to the inspect element mode of the machine after registration and login and going to storage in the inspect mode there are a lot of columns there you will see the sessionid column whose value is base64 encoded just copy all string and use it with the following command in kali linux terminal
command: echo '{you cookie string here}' | base64 -d
this will decode the string and in the output of the decoded data there you find that string
This will find by first changing the userType value in the inspect element of the storage menu with admin like this
userType| admin
After that change the url to http://machine_ip/admin there you will go to the admin page and there you find that flag
[Severity 8] Insecure Deserialization - Code ExecutionQ: flag.txt
This will find by first following the step describes in the room first download the exploit and change its value with your IP and run the exploit this gives you a string just copy the string. After that go to the myprofile section again by re-register your user account and then go to inspect element and then storage their you have to change the value of the encoded payload section with the value you just copy and then click on the provide feedback section in webapp after that you will find you a shell in your listener
Note setup your listener first
When you get the shell back use the following command to get your flag
[Severity 9] Components With Known Vulnerabilities - IntroJust information you can read and solve on your own.
[Severity 9] Components With Known Vulnerabilities - ExploitJust information you can read and solve on your own.
[Severity 9] Components With Known Vulnerabilities - LabThis will be found by first Google it cse bookstore exploit and trying to find the exploit in my case exploit is this
link: https://www.exploit-db.com/exploits/47887
Download it and try to run this. Note this is a python3 exploit use the following command
python3 47887.py
This will show you an error about url so use the following command instead
python3 47887.py http://machine_ip_here
So they will try to exploit it and they will ask you to launch the shell here. Press y and you have a shell now so use the following command to get the answer to the question
command: wc -c /etc/passwd
This will show you the answer
[Severity 10] Insufficient Logging and MonitoringThis will find in the login.txt file that you download. There you see that IP tries more than one login attempt and that occurs in a short period of time with different user accounts
This attack is used for cracking the username and password attackers use this attack for making such requests to the webapp
Just information you can read and solve on your own.
