# THM Room: OWASP Top 10 Answers

<figure><img src="https://tryhackme-images.s3.amazonaws.com/room-icons/99d3424920a0302aa1fda92e365999b8.png" alt=""><figcaption></figcaption></figure>

### Task 1 - 4

Just information you can read and solve on your own.

### Task 5 (command injection practical)

```
Q1:  What strange text file is in the website's root directory? 
A: drpepper.txt
```

```
Q2: How many non-root/non-service/non-daemon users are there?
A: 0
```

```
Q3: What user is this app running as?
A: www-data
```

```
Q4: What is the user's shell set as?
A: /usr/sbin/nologin
```

```
Q5: What version of Ubuntu is running?
A:  18.04.4
```

This is found by seeing the `lsb-release` file in the `/etc/` directory

```
 Q6: Print out the MOTD.  What favorite beverage is shown?
 A:  DR PEPPER
```

This is found in this command "`locate motd`" They show you a list of file that has this name but in the Question hint we have "00-header" and one of the files have this name so just cat/view the content of that file and you found that answer

### Task 7 (Broken Authentication Practical)

```
Q1: What is the flag that you found in Darren's account? 
A:  fe86079416a21a3c99937fea8874b667
```

Just follow the mentioned instruction in the task

```
Q2: What is the flag that you found in Arthur's account?
A:  d9ac0f7db4fda460ac3edeb75d75e16e
```

Repeat the same process

### Task 11 `[Severity 3]` Sensitive Data Exposure (Challenge)

```
Q1:What is the name of the mentioned directory? 
A: /assets
```

Read the source of the login page of the website there is a comment by the developer

```
Q2: Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
A: webapp.db
```

As we learned in the previous section about the "flat\_file" database that is stored in the disk of the computer

```
Q3: Use the supporting material to access the sensitive data. What is the password hash of the admin user?
A: 6eea9b7ef19179a06954edd0f6c05ceb
```

This is found by following the previously mentioned step for assessing the database file and how to dump the file just replace the name of the database in the command with the user's directory in the database

```
Q4: What is the admin's plaintext password?
A: qwertyuiop
```

Go to the `crackstation` website and paste the hash and they give you the password

```
Q5: Login as the admin. What is the flag?
A: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
```

Login with the username `admin` and password `qwertyuiop` in the website and your login into the admin account and they give you the flag

### Task 16 `[Severity 4]` XML External Entity - Exploiting

```
Q3:What is the name of the user in /etc/passwd
A:falcon
```

```
Q4:Where is Falcon's SSH key located?
A:/home/falcon/.shh/id_rsa		
```

```
Q5:What are the first 18 characters for Falcon's private key
A: MIIEogIBAAKCAQEA7b
```

### Task 18 `[Severity 5]` Broken Access Control (IDOR Challenge)

```
Q3: Look at other users' notes. What is the flag?
A: flag{fivefourthree} 
```

This can be found by changing the value of the parameter to 0 like this `http://{machine IP}/note.php?note=0`

### Task 19 \[Severity 6] Security Misconfiguration

```
Q2: Hack into the webapp, and find the flag!
A: thm{4b9513968fd564a87b28aa1f9d672e17}
```

This can be found by first searching for the webapp name on Google they show you the `GitHub` page for this webapp There you will find the default username and password

### Task 20 `[Severity 7]` Cross-site Scripting

```
Q2: Navigate to http://MACHINE_IP/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".
A: ThereIsMoreToXSSThanYouThink
```

First, you have to register your account in the webapp and then you have to go to the reflected `xss` tab in the browser you find it on the menu bar on top and there you have to paste the payload that is described previously and that is

`payload = <script>alert(“Hello World”)</script>`

```
Q3: On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine's IP address.
A: ReflectiveXss4TheWin
```

This can be found by using the script describes in the hint and are following

`<script>alert(window.location.hostname)</script>`

**Hint: In JavaScript `window.location.hostname` will show your `hostname`, in this case, your deployed machine's `hostname` will be its IP.**

That will do the trick.

```
Q4 Now navigate to http://10.10.251.222/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.
Then add a comment and see if you can insert some of your own HTML.
A: HTML_T4gs
```

This will be done by using some html tag on the comment box and they will do the trick using the following HTML Code or take this as a reference Code:

```html
<html>
    <title>
	    You are being Hacked
    </title>
	<body>
		<b>Happy</b><i>Hacking</i>
	</body>
</html>
```

This is the `HTML code` that does the trick for me.

```
Q5: On the same page, create an alert popup box to appear on the page with your document cookies.
A: W3LL_D0N3_LVL2
```

This flag can be found by adding a script in the comment called "document.cookie" This will popup the cookie as an alert

`script : <script>alert(document.cookie)</script>`

This will do the trick

```
Q6: Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.
A: websites_can_be_easily_defaced_with_xss
```

We get this flag by using the hint script in the comment box and they will show the answer on the page after question no 3

script : `<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>`

### Task 21 `[Severity 8]` Insecure Deserialization

```
Q1: Who developed the Tomcat application?
A: the Apache Software Foundation
```

This will find by google tomcat developer and they show the name and also see the Tomcat wiki **Note This is the company name, not the person's name**

```
Q2: What type of attack that crashes services can be performed with insecure deserialization?
A: denial of services
```

### Task 22 `[Severity 8]` Insecure Deserialization - Objects

```
Q1: if a dog was sleeping, would this be:
A: a behaviour
```

### Task 23 `[Severity 8]` Insecure Deserialization - Deserialization

```
Q1:  What is the name of the base-2 formatting that data is sent across a network as?  
A: binary
```

### Task 24 `[Severity 8]` Insecure Deserialization - Cookies

```
Q1:  If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be? 
A: webapp.com/login
```

```
Q2: What is the acronym for the web technology that Secure cookies work over?
A: https
```

### Task 25 `[Severity 8]` Insecure Deserialization - Cookies Practical

```
 Q1: 1st flag (cookie value) 
 A: THM{good_old_base64_huh}
```

This will be found by going to the inspect element mode of the machine after registration and login and going to storage in the inspect mode there are a lot of columns there you will see the `sessionid` column whose value is base64 encoded just copy all string and use it with the following command in kali linux terminal

command: `echo '{you cookie string here}' | base64 -d`

this will decode the string and in the output of the decoded data there you find that string

```
 Q2: 2nd flag (admin dashboard)
 A: THM{heres_the_admin_flag} 
```

This will find by first changing the `userType` value in the inspect element of the storage menu with admin like this

`userType`| `admin`

After that change the url to `http://machine_ip/admin` there you will go to the admin page and there you find that flag

### Task 26 `[Severity 8]` Insecure Deserialization - Code Execution

**Q: flag.txt**

```
A: 4a69a7ff9fd68
```

This will find by first following the step describes in the room first download the exploit and change its value with your IP and run the exploit this gives you a string just copy the string. After that go to the `myprofile` section again by re-register your user account and then go to inspect element and then storage their you have to change the value of the `encoded payload` section with the value you just copy and then click on the provide feedback section in webapp after that you will find you a shell in your listener

**Note setup your listener first**

When you get the shell back use the following command to get your flag

```bash
cat /home/cmnatic/flag.txt
```

### Task 27 `[Severity 9]` Components With Known Vulnerabilities - Intro

Just information you can read and solve on your own.

### Task 28 `[Severity 9]` Components With Known Vulnerabilities - Exploit

Just information you can read and solve on your own.

### Task 29 `[Severity 9]` Components With Known Vulnerabilities - Lab

```
 Q1:  How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) 
 A: 1611 
```

This will be found by first Google it `cse bookstore exploit` and trying to find the exploit in my case exploit is this

link: `https://www.exploit-db.com/exploits/47887`

Download it and try to run this. Note this is a `python3` exploit use the following command

`python3 47887.py`

This will show you an error about url so use the following command instead

`python3 47887.py http://machine_ip_here`

So they will try to exploit it and they will ask you to launch the shell here. Press `y` and you have a shell now so use the following command to get the answer to the question

command: `wc -c /etc/passwd`

This will show you the answer

### Task 30 `[Severity 10]` Insufficient Logging and Monitoring

```
 Q1: What IP address is the attacker using?
 A: 49.99.13.16
```

This will find in the `login.txt` file that you download. There you see that IP tries more than one login attempt and that occurs in a short period of time with different user accounts

```
 Q2: What kind of attack is being carried out?
 A: brute force
```

This attack is used for cracking the username and password attackers use this attack for making such requests to the webapp

### Task 31 What's Next?

Just information you can read and solve on your own.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://w4h33d.gitbook.io/hack-notes/writeups/tryhackme/thm-room-owasp-top-10-answers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.