THM Room: OWASP Top 10 Answers

Task 1 - 4
Just information you can read and solve on your own.
Task 5 (command injection practical)
Q1: What strange text file is in the website's root directory?
A: drpepper.txt
Q2: How many non-root/non-service/non-daemon users are there?
A: 0
Q3: What user is this app running as?
A: www-data
Q4: What is the user's shell set as?
A: /usr/sbin/nologin
Q5: What version of Ubuntu is running?
A: 18.04.4
This is found by seeing the lsb-release
file in the /etc/
directory
Q6: Print out the MOTD. What favorite beverage is shown?
A: DR PEPPER
This is found in this command "locate motd
" They show you a list of file that has this name but in the Question hint we have "00-header" and one of the files have this name so just cat/view the content of that file and you found that answer
Task 7 (Broken Authentication Practical)
Q1: What is the flag that you found in Darren's account?
A: fe86079416a21a3c99937fea8874b667
Just follow the mentioned instruction in the task
Q2: What is the flag that you found in Arthur's account?
A: d9ac0f7db4fda460ac3edeb75d75e16e
Repeat the same process
Task 11 [Severity 3]
Sensitive Data Exposure (Challenge)
[Severity 3]
Sensitive Data Exposure (Challenge)Q1:What is the name of the mentioned directory?
A: /assets
Read the source of the login page of the website there is a comment by the developer
Q2: Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
A: webapp.db
As we learned in the previous section about the "flat_file" database that is stored in the disk of the computer
Q3: Use the supporting material to access the sensitive data. What is the password hash of the admin user?
A: 6eea9b7ef19179a06954edd0f6c05ceb
This is found by following the previously mentioned step for assessing the database file and how to dump the file just replace the name of the database in the command with the user's directory in the database
Q4: What is the admin's plaintext password?
A: qwertyuiop
Go to the crackstation
website and paste the hash and they give you the password
Q5: Login as the admin. What is the flag?
A: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
Login with the username admin
and password qwertyuiop
in the website and your login into the admin account and they give you the flag
Task 16 [Severity 4]
XML External Entity - Exploiting
[Severity 4]
XML External Entity - ExploitingQ3:What is the name of the user in /etc/passwd
A:falcon
Q4:Where is Falcon's SSH key located?
A:/home/falcon/.shh/id_rsa
Q5:What are the first 18 characters for Falcon's private key
A: MIIEogIBAAKCAQEA7b
Task 18 [Severity 5]
Broken Access Control (IDOR Challenge)
[Severity 5]
Broken Access Control (IDOR Challenge)Q3: Look at other users' notes. What is the flag?
A: flag{fivefourthree}
This can be found by changing the value of the parameter to 0 like this http://{machine IP}/note.php?note=0
Task 19 [Severity 6] Security Misconfiguration
Q2: Hack into the webapp, and find the flag!
A: thm{4b9513968fd564a87b28aa1f9d672e17}
This can be found by first searching for the webapp name on Google they show you the GitHub
page for this webapp There you will find the default username and password
Task 20 [Severity 7]
Cross-site Scripting
[Severity 7]
Cross-site ScriptingQ2: Navigate to http://MACHINE_IP/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".
A: ThereIsMoreToXSSThanYouThink
First, you have to register your account in the webapp and then you have to go to the reflected xss
tab in the browser you find it on the menu bar on top and there you have to paste the payload that is described previously and that is
payload = <script>alert(“Hello World”)</script>
Q3: On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine's IP address.
A: ReflectiveXss4TheWin
This can be found by using the script describes in the hint and are following
<script>alert(window.location.hostname)</script>
Hint: In JavaScript window.location.hostname
will show your hostname
, in this case, your deployed machine's hostname
will be its IP.
That will do the trick.
Q4 Now navigate to http://10.10.251.222/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.
Then add a comment and see if you can insert some of your own HTML.
A: HTML_T4gs
This will be done by using some html tag on the comment box and they will do the trick using the following HTML Code or take this as a reference Code:
<html>
<title>
You are being Hacked
</title>
<body>
<b>Happy</b><i>Hacking</i>
</body>
</html>
This is the HTML code
that does the trick for me.
Q5: On the same page, create an alert popup box to appear on the page with your document cookies.
A: W3LL_D0N3_LVL2
This flag can be found by adding a script in the comment called "document.cookie" This will popup the cookie as an alert
script : <script>alert(document.cookie)</script>
This will do the trick
Q6: Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.
A: websites_can_be_easily_defaced_with_xss
We get this flag by using the hint script in the comment box and they will show the answer on the page after question no 3
script : <script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
Task 21 [Severity 8]
Insecure Deserialization
[Severity 8]
Insecure DeserializationQ1: Who developed the Tomcat application?
A: the Apache Software Foundation
This will find by google tomcat developer and they show the name and also see the Tomcat wiki Note This is the company name, not the person's name
Q2: What type of attack that crashes services can be performed with insecure deserialization?
A: denial of services
Task 22 [Severity 8]
Insecure Deserialization - Objects
[Severity 8]
Insecure Deserialization - ObjectsQ1: if a dog was sleeping, would this be:
A: a behaviour
Task 23 [Severity 8]
Insecure Deserialization - Deserialization
[Severity 8]
Insecure Deserialization - DeserializationQ1: What is the name of the base-2 formatting that data is sent across a network as?
A: binary
Task 24 [Severity 8]
Insecure Deserialization - Cookies
[Severity 8]
Insecure Deserialization - CookiesQ1: If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be?
A: webapp.com/login
Q2: What is the acronym for the web technology that Secure cookies work over?
A: https
Task 25 [Severity 8]
Insecure Deserialization - Cookies Practical
[Severity 8]
Insecure Deserialization - Cookies Practical Q1: 1st flag (cookie value)
A: THM{good_old_base64_huh}
This will be found by going to the inspect element mode of the machine after registration and login and going to storage in the inspect mode there are a lot of columns there you will see the sessionid
column whose value is base64 encoded just copy all string and use it with the following command in kali linux terminal
command: echo '{you cookie string here}' | base64 -d
this will decode the string and in the output of the decoded data there you find that string
Q2: 2nd flag (admin dashboard)
A: THM{heres_the_admin_flag}
This will find by first changing the userType
value in the inspect element of the storage menu with admin like this
userType
| admin
After that change the url to http://machine_ip/admin
there you will go to the admin page and there you find that flag
Task 26 [Severity 8]
Insecure Deserialization - Code Execution
[Severity 8]
Insecure Deserialization - Code ExecutionQ: flag.txt
A: 4a69a7ff9fd68
This will find by first following the step describes in the room first download the exploit and change its value with your IP and run the exploit this gives you a string just copy the string. After that go to the myprofile
section again by re-register your user account and then go to inspect element and then storage their you have to change the value of the encoded payload
section with the value you just copy and then click on the provide feedback section in webapp after that you will find you a shell in your listener
Note setup your listener first
When you get the shell back use the following command to get your flag
cat /home/cmnatic/flag.txt
Task 27 [Severity 9]
Components With Known Vulnerabilities - Intro
[Severity 9]
Components With Known Vulnerabilities - IntroJust information you can read and solve on your own.
Task 28 [Severity 9]
Components With Known Vulnerabilities - Exploit
[Severity 9]
Components With Known Vulnerabilities - ExploitJust information you can read and solve on your own.
Task 29 [Severity 9]
Components With Known Vulnerabilities - Lab
[Severity 9]
Components With Known Vulnerabilities - Lab Q1: How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)
A: 1611
This will be found by first Google it cse bookstore exploit
and trying to find the exploit in my case exploit is this
link: https://www.exploit-db.com/exploits/47887
Download it and try to run this. Note this is a python3
exploit use the following command
python3 47887.py
This will show you an error about url so use the following command instead
python3 47887.py http://machine_ip_here
So they will try to exploit it and they will ask you to launch the shell here. Press y
and you have a shell now so use the following command to get the answer to the question
command: wc -c /etc/passwd
This will show you the answer
Task 30 [Severity 10]
Insufficient Logging and Monitoring
[Severity 10]
Insufficient Logging and Monitoring Q1: What IP address is the attacker using?
A: 49.99.13.16
This will find in the login.txt
file that you download. There you see that IP tries more than one login attempt and that occurs in a short period of time with different user accounts
Q2: What kind of attack is being carried out?
A: brute force
This attack is used for cracking the username and password attackers use this attack for making such requests to the webapp
Task 31 What's Next?
Just information you can read and solve on your own.
Last updated
Was this helpful?