TryHackMe : OWASP Top 10 [Part 1]

6 min readNov 5, 2020

“Today we will be looking at OWASP Top 10 from TryHackMe. Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks. ”

I plan to finish this part in 3 days. So I’ll present it to you in the form of 3 parts. I think we’ll learn better this way.

I’ll just do the practical parts, skip the other technical information. You can enter the room and read the technical parts yourself.

Task 5 : [Severity 1] Command Injection Practical

What is Active Command Injection?

Blind command injection occurs when the system command made to the server does not return the response to the user in the HTML document. Active command injection will return the response to the user. It can be made visible through several HTML elements.

Let’s consider a scenario: EvilCorp has started development on a web based shell but has accidentally left it exposed to the Internet. It’s nowhere near finished but contains the same command injection vulnerability as before! But this time, the response from the system call can be seen on the page! They’ll never learn!

Just like before, let’s look at the sample code from evilshell.php and go over what it’s doing and why it makes it active command injection. See if you can figure it out. I’ll go over it below just as before.

EvilShell (evilshell.php) Code Example

In pseudocode, the above snippet is doing the following:

1. Checking if the parameter “commandString” is set

2. If it is, then the variable $command_string gets what was passed into the input field

3. The program then goes into a try block to execute the function passthru($command_string). You can read the docs on passthru() on PHP’s website, but in general, it is executing what gets entered into the input then passing the output directly back to the browser.

4. If the try does not succeed, output the error to page. Generally this won’t output anything because you can’t output stderr but PHP doesn’t let you have a try without a catch.

Ways to Detect Active Command Injection

We know that active command injection occurs when you can see the response from the system call. In the above code, the function passthru() is actually what’s doing all of the work here. It’s passing the response directly to the document so you can see the fruits of your labor right there. Since we know that, we can go over some useful commands to try to enumerate the machine a bit further. The function call here to passthru() may not always be what’s happening behind the scenes, but I felt it was the easiest and least complicated way to demonstrate the vulnerability.

Commands to try

Linux

whoami
id
ifconfig/ip addr
uname -a
ps -ef

Windows

whoami
ver
ipconfig
tasklist
nestat -an
To complete the questions below, navigate to http://10.10.147.50/evilshell.php.

#1 What strange text file is in the website root directory?

We can visit evilshell.php

We can try whoami command.

We can try uname -a command.

Machine has linux operating system.

We can try ls command.

We can find drpepper.txt

ans : drpepper.txt

#2 How many non-root/non-service/non-daemon users are there?

We can try cat /etc/passwd

don’t have any.

ans : 0

#3 What user is this app running as?

We found it upstairs, but let’s write the whoami command again.

ans : www-data

#4 What is the user’s shell set as?

We can find it with the cat /etc/passwd command.

ans : usr/sbin/nologin

#5 What version of Ubuntu is running?

We can write lsb_release -a command for about learn vesion ubuntu.

ans : 18.04.4

#6 Print out the MOTD. What favorite beverage is shown?

We can research what’s command motd linux.

We can see /etc/update-motd.d. I did, but nothing happened. I clicked hint and i see this.

cat /etc/update-motd.d/00-header

Success!

ans : DR PEPPER

Task 7 : [Severity 2] Broken Authentication Practical

For this example, we’ll be looking at a logic flaw within the authentication mechanism.

A lot of times what happens is that developers forgets to sanitize the input(username & password) given by the user in the code of their application, which can make them vulnerable to attacks like SQL injection. However, we are going to focus on a vulnerability that happens because of a developer’s mistake but is very easy to exploit i.e re-registration of an existing user.

Let’s understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter “ admin”(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. That new user will also be able to see all the content presented under the user admin.

To see this in action go to http://10.10.147.50:8888 and try to register a user name darren, you’ll see that user already exists so then try to register a user “ darren” and you’ll see that you are now logged in and will be able to see the content present only in Darren’s account which in our case is the flag that you need to retrieve.

#1 What is the flag that you found in darren’s account?

We can visit website http://10.10.147.50:8888.