TryHackMe: OWASP Top 10 Challenge [Phần 3]

Continuing with part 2, in this article I will guide you to exploit OWASP vulnerabilities such as Insecure Deserialization, Components With Known Vulnerabilities, and Insufficient Logging & Monitoring in challenge OWASP Top 10.

TryHackMe: OWASP Top 10 Challenge [Phần 3]

Mission 21: [Mức độ nghiêm trọng 8] Insecure Deserialization

What applications are vulnerable?

Any application that stores or fetches data for which no authentication or integrity check is applied to the queried or stored data. Some examples of applications of this nature are:

• E-commerce website
• Forum
• API
• Runtimes applications (Tomcat, Jenkins, Jboss, …)

You can learn more about Insecure Deserialization here.

#1 Who developed the Tomcat application?

Answer: Apache Software Foundation

#2 What kind of attacks that crash services can be done with insecure decryption?

This definition is still quite broad. But can be understood like this, unsafe decryption is replacing the data processed by the application with malicious code; allows anything from DoS (Denial of Service) to RCE (Remote Malware Execution) that an attacker can use to gain a foothold in pentesting.

Answer: Denial of Service

Mission 22 [Mức độ nghiêm trọng 8] Unsecure Decryption – Object

#1 Choose the correct term of the following sentence:

if a dog was sleeping, would this be:

A) A State
B) A Behaviour

Answer: A Behaviour

Mission 23: [Mức độ nghiêm trọng 8] Insecure Deserialization — Deserialization

Suppose you have a password “password123” from a program that needs to be stored in a database on another system. To move across a network, this string/output needs to be converted to binary. Of course, the password needs to be stored as “password123” and not its binary string. When it reaches the database, it will be converted or deserialised back to “password123” to be stored.

#1 What is the name of the base 2 format in which data is sent over the network?

Answer: binary

Mission 24 [Mức độ nghiêm trọng 8] Insecure Deserialization — Cookies

#1 If the cookie has a path of webapp.com/login, what is the URL the user has to visit?

Answer: webapp.com/login

#2 What is the acronym for the web technology that Secure cookies work on?

Answer: Https

Mission 25: [Mức độ nghiêm trọng 8] Insecure Deserialization — Cookies Practical

I will log in to a website like the one below.

Create an account. No need to enter details, you can enter what you like.

Notice on the right, you have your details.

Right click on the page and hit “Inspect Element” then go to the “Storage” tab.

Check Encrypted Data

You will see here that there are both plaintext and base64 encoded cookies. The first flag will be found in one of these cookies.

Answer: THM{good_old_base64_huh}

Modify cookie value

Notice here that you have a cookie named “userType”. You are now a user, as confirmed by your information on the “myprofile” page.

This application defines what you can and cannot see by your userType. What if you want to be an administrator?

Double left click on the “Value” column of “userType” to modify the content. Let’s change our userType to “admin” and navigate to http://10.10.83.1/admin to get the second flag.

Answer: THM{heres_the_admin_flag}

Mission 26: [Mức độ nghiêm trọng 8] Insecure Deserialization — Code Execution

1. First, change the value of the userType cookie from “admin” to “user” and back to http://10.10.83.1/myprofile.

2. Then left click on the URL under “Exhange your vim” in the screenshot below.

3. Next left click on the URL under “Provide your feedback!” to a page like this:

#1 flag.txt

Change netcat ip.

Use command nano rce.py

Swap tryhackmyIP to the IP of that website.

Paste this into the “encodedPayload” cookie in your browser:

7. Make sure netcat is still running:

8. Refresh the page. It will hang, go back to netcat:

Answer: 4a69a7ff9fd68

Mission 29: [Mức độ nghiêm trọng 9] Components With Known Vulnerabilities — Lab

#1 How many characters are in /etc/passwd (using WC -c /etc/passwd for the answer)

Visit the website, as we see this is a normal book website.

Did a bit of research on vulnerabilities found in online bookstore sites and I found this.

Answer: 1611

Mission 30: [Mức độ nghiêm trọng 10] Insufficient Logging & Monitoring

We have to download the login-logs.txt file. Click download and save the file.

#1 What IP address is the attacker using?

We can use cat login-logs.txt and see all the frontends.

There is one person constantly accessing the system with different usernames.

Answer: 49.99.13.16

#2 What kind of attack is being performed?

HTTP 401 indicates that the request has not been applied because it lacks valid credentials for the target resource.

So I think it’s a brute force attack because we see that someone is repeatedly trying a password with a different username.

Answer: Brute Force

So this series is done. Are you looking forward to other series? In addition, you can also see more challenges on tryhackme here.