TryHackMe : OWASP Top 10 [Part 3]

Room: OWASP Top 10

“Today we will be looking at OWASP Top 10 from TryHackMe. Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks. ”

I plan to finish this part in 3 days. So I’ll present it to you in the form of 3 parts. I think we’ll learn better this way.

Today is the last day.

I’ll just do the practical parts, skip the other technical information. You can enter the room and read the technical parts yourself.

Task 21 : [Severity 8] Insecure Deserialization

What’s Vulnerable?

At summary, ultimately, any application that stores or fetches data where there are no validations or integrity checks in place for the data queried or retained. A few examples of applications of this nature are:

• E-Commerce Sites
• Forums
• API’s
• Application Runtimes (Tomcat, Jenkins, Jboss, etc)

#1 Who developed the Tomcat application?

ans : Apache Software Foundation

#2 What type of attack that crashes services can be performed with insecure deserialization?

This definition is still quite broad to say the least. Simply, insecure deserialization is replacing data processed by an application with malicious code; allowing anything from DoS (Denial of Service) to RCE (Remote Code Execution) that the attacker can use to gain a foothold in a pentesting scenario.

ans : Denial of Service

Task 22 [Severity 8] Insecure Deserialization — Objects

#1 Select the correct term of the following statement:

if a dog was sleeping, would this be:

A) A State
B) A Behaviour

ans : A Behaviour

Task 23 : [Severity 8] Insecure Deserialization — Deserialization

Say you have a password of “password123” from a program that needs to be stored in a database on another system. To travel across a network this string/output needs to be converted to binary. Of course, the password needs to be stored as “password123” and not its binary notation. Once this reaches the database, it is converted or deserialised back into “password123” so it can be stored.

#1 What is the name of the base-2 formatting that data is sent across a network as?

ans : binary

Task 24 [Severity 8] Insecure Deserialization — Cookies

#1 If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

ans : webapp.com/login

#2 What is the acronym for the web technology that Secure cookies work over?

ans : Https

Task 25 : [Severity 8] Insecure Deserialization — Cookies Practical

We have to go website.

That’s example website.

Let’s create an account. No need to enter your TryHackMe details, you can enter what you like.

Where you will be directed to your profile page. Notice on the right, you have your details.

Right-Click the Page and press “Inspect Element”. Navigate to the “Storage” tab.

Inspecting Encoded Data
You will see here that there are cookies are both plaintext encoded and base64 encoded. The first flag will be found in one of these cookies.

ans : THM{good_old_base64_huh}

Modifying Cookie Values
Notice here that you have a cookie named “userType”. You are currently a user, as confirmed by your information on the “myprofile” page.

This application determines what you can and cannot see by your userType. What if you wanted to be come an admin?

Double left-click the “Value” column of “userType” to modify the contents. Let’s change our userType to “admin” and navigate to http://10.10.83.1/admin to answer the second flag.

ans : THM{heres_the_admin_flag}

Task 26 : [Severity 8] Insecure Deserialization — Code Execution

1. First, change the value of the userType cookie from “admin” to “user” and return to http://10.10.83.1/myprofile.

2. Then, left-click on the URL in “Exhange your vim” found in the screenshot below.

3. Once you have done this, left-click on the URL in “Provide your feedback!” where you will be direct to page like so:

#1 flag.txt

We have to change netcat ip.

nano rce.py

change tryhackme ip.

Paste this into the “encodedPayload” cookie in your browser:

7. Ensure our netcat listener is still running:

8. Refresh the page. It will hang, refer back to your netcat listener:

ans : 4a69a7ff9fd68

Task 29 : [Severity 9] Components With Known Vulnerabilities — Lab

#1 How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

We have to visit website.

And from here we see that the site is the cse bookstore.

We can researchcse bookstore vulnerability.

We find it.

ans : 1611

Task 30 : [Severity 10] Insufficient Logging and Monitoring

We have to download login-logs.txt. Click download and save file.

#1 What IP address is the attacker using?

We can use cat login-logs.txt and we can see all the entrances.

We see someone constantly trying to enter the system with a different username.

ans : 49.99.13.16

#2 What kind of attack is being carried out?

The HTTP 401 Unauthorized client error status response code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.

So we can say that the brute force attack because we see that someone is constantly trying a password with a different user.

ans : Brute Force

Insecure Deserialization, Components With Known Vulnerabilities and Insufficient Logging and Monitoring done.

So I completed it all.

This box was really fun! I love the ones that have a story/theme that goes along with them.

Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!