# TryHackMe - OWASP Top 10 2021 ![OWASP Room](/files/pN4I3PZxXRBwWBTKV0jW) * [Room on THM](https://tryhackme.com/room/owasptop102021) ## IDOR If we access to note 0 we get the flag ## Cryptographic failures (Task 8) Here I did not find the note the developer left, however I always like to have a look at the images path. So i just right click on the image and "open image in new tab"\ We get this path `/assets/images/lake-taupo.jpg`\ If we go one directoy up, we can see that we have directory listing.\ If we go to the assets directory we can see a db file ![db file](/files/yFB47Hc8D1PO9P4iuyQR) We can save it and check it. We get interesting data ![sqlite](/files/oUteZ5f5k2QgSeaQdjel) Let's check the hashes on crackstation * Here is the admin hash decoded ![admin](/files/qZEC4n5UW2VfbdtvyKS9) * Bob's password ![Bob](/files/yCa0LGZakcjUzUv5DeC3) Crackstation does not crack Alice's password. We can now login as admin (turns out the note of the dev was on the login page😅) We get the flag. ## Command Injection (task 10) First let's make an `ls` for this we need to enter this in the form `$(ls)` ![ls](/files/oNFzhFJYuQYb6jJFVOQP) To answer the second question we need to `cat /etc/passwd`\ For the next question `whoami`\ The answer to the 4th question is in /etc/passwd\ For the last question we need to `cat /etc/alpine-release` ## Insecure design (Task 11) For this I used the security question about the favorite color and tried different color until it worked. ![pass reset](/files/uNhpUmCrtGpY46ohhOKe) So now we can use the password and log in as joseph. Then we just need to check in joseph's private folder to get the flag. ## Security Misconfiguration (task 12) To read the content of the app.py we need to type `import os; print(os.popen("cat app.py").read())` ## Vulnerable and Outdated Components (Task 15) With a simple search we find an authenticated RCE on CSE Bookstore. We can get the exploit [here](https://www.exploit-db.com/exploits/47887)\ We get a shell\ ![rce](/files/xjvqrKq8gFW7VD0Y7A4Q) We just need to cat the flag now. ## Identification and Authentication Failures (Task 17) Here we just need to register `darren` and `arthur` and it works. ## Software Integrity Failures Here we just need to do this ![hash](/files/fRxXCLswmMrKkTYH9oxl) ## Data Integrity Failures Once logged in we get our jwt token\ ![JWT](/files/T8leoVKWX3Owl3F4uXZd) `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjg4ODQzNzIyfQ.Fm8_HaBydwrHZfsTKwFAnWFXicPHbyivUXfojVDF8pw` * We change algo to none `eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=` * We make ourselves admin `eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjg4ODQzNzIyfQ==` * Here is the new token `eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjg4ODQzNzIyfQ.` This way we get the flag ## Security Logging and Monitoring Failures From the provided txt file we can easily conclude that the attacker has ip 49.99.13.16 and is carrying out a brute force attack. ## SSRF (Task 22) If we go to the admin area we can see this ![localhost](/files/SOXA3GbLt3DCACFhyRX4) When we Dowload the resume it makes this request ![Resume](/files/R6T4k06joWE8ZyKdCBTM) This means we could try to send a request to our own server.\ Let's see if it works. It does our server gets requested, as we can see ![Request](/files/QyDWAbxgRgJQBbFM9JC3) To get the api we need to intercept with netcat just like in they showed in the example so we just need to `nc -lvp 80`\ And we get the flag ### Access admin area My first error was to try this in the repeater.\ ![repeater](/files/C0pJESTDq9wYNsrlYYlH) But when I copied the url from the request in the repeater I actually got the flag\ `http://:8087/download?server=localhost:8087/admin%23&id=1` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csbygb.gitbook.io/pentips/writeups/thmwriteups/thm-owasp-top-10-2021.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.