THM Room: OWASP Top 10 Answers

Task 1 - 4

Just information you can read and solve on your own.

Task 5 (command injection practical)

Q1:  What strange text file is in the website's root directory? 
A: drpepper.txt

Q2: How many non-root/non-service/non-daemon users are there?
A: 0

Q3: What user is this app running as?
A: www-data

Q4: What is the user's shell set as?
A: /usr/sbin/nologin

Q5: What version of Ubuntu is running?
A:  18.04.4

This is found by seeing the lsb-release file in the /etc/ directory

 Q6: Print out the MOTD.  What favorite beverage is shown?
 A:  DR PEPPER

This is found in this command "locate motd" They show you a list of file that has this name but in the Question hint we have "00-header" and one of the files have this name so just cat/view the content of that file and you found that answer

Task 7 (Broken Authentication Practical)

Q1: What is the flag that you found in Darren's account? 
A:  fe86079416a21a3c99937fea8874b667

Just follow the mentioned instruction in the task

Q2: What is the flag that you found in Arthur's account?
A:  d9ac0f7db4fda460ac3edeb75d75e16e

Repeat the same process

Task 11 [Severity 3] Sensitive Data Exposure (Challenge)

Q1:What is the name of the mentioned directory? 
A: /assets

Read the source of the login page of the website there is a comment by the developer

Q2: Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
A: webapp.db

As we learned in the previous section about the "flat_file" database that is stored in the disk of the computer

Q3: Use the supporting material to access the sensitive data. What is the password hash of the admin user?
A: 6eea9b7ef19179a06954edd0f6c05ceb

This is found by following the previously mentioned step for assessing the database file and how to dump the file just replace the name of the database in the command with the user's directory in the database

Q4: What is the admin's plaintext password?
A: qwertyuiop

Go to the crackstation website and paste the hash and they give you the password

Q5: Login as the admin. What is the flag?
A: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

Login with the username admin and password qwertyuiop in the website and your login into the admin account and they give you the flag

Task 16 [Severity 4] XML External Entity - Exploiting

Q3:What is the name of the user in /etc/passwd
A:falcon

Q4:Where is Falcon's SSH key located?
A:/home/falcon/.shh/id_rsa		

Q5:What are the first 18 characters for Falcon's private key
A: MIIEogIBAAKCAQEA7b

Task 18 [Severity 5] Broken Access Control (IDOR Challenge)

Q3: Look at other users' notes. What is the flag?
A: flag{fivefourthree} 

This can be found by changing the value of the parameter to 0 like this http://{machine IP}/note.php?note=0

Task 19 [Severity 6] Security Misconfiguration

Q2: Hack into the webapp, and find the flag!
A: thm{4b9513968fd564a87b28aa1f9d672e17}

This can be found by first searching for the webapp name on Google they show you the GitHub page for this webapp There you will find the default username and password

Task 20 [Severity 7] Cross-site Scripting

Q2: Navigate to http://MACHINE_IP/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".
A: ThereIsMoreToXSSThanYouThink

First, you have to register your account in the webapp and then you have to go to the reflected xss tab in the browser you find it on the menu bar on top and there you have to paste the payload that is described previously and that is

payload = <script>alert(“Hello World”)</script>

Q3: On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine's IP address.
A: ReflectiveXss4TheWin

This can be found by using the script describes in the hint and are following

<script>alert(window.location.hostname)</script>

Hint: In JavaScript window.location.hostname will show your hostname, in this case, your deployed machine's hostname will be its IP.

That will do the trick.

Q4 Now navigate to http://10.10.251.222/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.
Then add a comment and see if you can insert some of your own HTML.
A: HTML_T4gs

This will be done by using some html tag on the comment box and they will do the trick using the following HTML Code or take this as a reference Code:

<html>
    <title>
	    You are being Hacked
    </title>
	<body>
		<b>Happy</b><i>Hacking</i>
	</body>
</html>

This is the HTML code that does the trick for me.

Q5: On the same page, create an alert popup box to appear on the page with your document cookies.
A: W3LL_D0N3_LVL2

This flag can be found by adding a script in the comment called "document.cookie" This will popup the cookie as an alert

script : <script>alert(document.cookie)</script>

This will do the trick

Q6: Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.
A: websites_can_be_easily_defaced_with_xss

We get this flag by using the hint script in the comment box and they will show the answer on the page after question no 3

script : <script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>

Task 21 [Severity 8] Insecure Deserialization

Q1: Who developed the Tomcat application?
A: the Apache Software Foundation

This will find by google tomcat developer and they show the name and also see the Tomcat wiki Note This is the company name, not the person's name

Q2: What type of attack that crashes services can be performed with insecure deserialization?
A: denial of services

Task 22 [Severity 8] Insecure Deserialization - Objects

Q1: if a dog was sleeping, would this be:
A: a behaviour

Task 23 [Severity 8] Insecure Deserialization - Deserialization

Q1:  What is the name of the base-2 formatting that data is sent across a network as?  
A: binary

Task 24 [Severity 8] Insecure Deserialization - Cookies

Q1:  If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be? 
A: webapp.com/login

Q2: What is the acronym for the web technology that Secure cookies work over?
A: https

Task 25 [Severity 8] Insecure Deserialization - Cookies Practical

 Q1: 1st flag (cookie value) 
 A: THM{good_old_base64_huh}

This will be found by going to the inspect element mode of the machine after registration and login and going to storage in the inspect mode there are a lot of columns there you will see the sessionid column whose value is base64 encoded just copy all string and use it with the following command in kali linux terminal

command: echo '{you cookie string here}' | base64 -d

this will decode the string and in the output of the decoded data there you find that string

 Q2: 2nd flag (admin dashboard)
 A: THM{heres_the_admin_flag} 

This will find by first changing the userType value in the inspect element of the storage menu with admin like this

userType| admin

After that change the url to http://machine_ip/admin there you will go to the admin page and there you find that flag

Task 26 [Severity 8] Insecure Deserialization - Code Execution

Q: flag.txt

A: 4a69a7ff9fd68

This will find by first following the step describes in the room first download the exploit and change its value with your IP and run the exploit this gives you a string just copy the string. After that go to the myprofile section again by re-register your user account and then go to inspect element and then storage their you have to change the value of the encoded payload section with the value you just copy and then click on the provide feedback section in webapp after that you will find you a shell in your listener

Note setup your listener first

When you get the shell back use the following command to get your flag

cat /home/cmnatic/flag.txt

Task 27 [Severity 9] Components With Known Vulnerabilities - Intro

Just information you can read and solve on your own.

Task 28 [Severity 9] Components With Known Vulnerabilities - Exploit

Just information you can read and solve on your own.

Task 29 [Severity 9] Components With Known Vulnerabilities - Lab

 Q1:  How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) 
 A: 1611 

This will be found by first Google it cse bookstore exploit and trying to find the exploit in my case exploit is this

link: https://www.exploit-db.com/exploits/47887

Download it and try to run this. Note this is a python3 exploit use the following command

python3 47887.py

This will show you an error about url so use the following command instead

python3 47887.py http://machine_ip_here

So they will try to exploit it and they will ask you to launch the shell here. Press y and you have a shell now so use the following command to get the answer to the question

command: wc -c /etc/passwd

This will show you the answer

Task 30 [Severity 10] Insufficient Logging and Monitoring

 Q1: What IP address is the attacker using?
 A: 49.99.13.16

This will find in the login.txt file that you download. There you see that IP tries more than one login attempt and that occurs in a short period of time with different user accounts

 Q2: What kind of attack is being carried out?
 A: brute force

This attack is used for cracking the username and password attackers use this attack for making such requests to the webapp

Task 31 What's Next?

Just information you can read and solve on your own.