# TryHackMe - OWASP Top 10 2021 ![OWASP Room](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-aad6dbcc1790218c522f1f68bee04344f5c7d9ab%2F2023-07-08-13-22-41.png?alt=media) * [Room on THM](https://tryhackme.com/room/owasptop102021) ## IDOR If we access to note 0 we get the flag ## Cryptographic failures (Task 8) Here I did not find the note the developer left, however I always like to have a look at the images path. So i just right click on the image and "open image in new tab"\ We get this path `/assets/images/lake-taupo.jpg`\ If we go one directoy up, we can see that we have directory listing.\ If we go to the assets directory we can see a db file ![db file](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-3093d68c1ab46a65a77ff047a643de92bc8738d8%2F2023-07-08-13-15-27.png?alt=media) We can save it and check it. We get interesting data ![sqlite](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-3796b4ef6b103f43e75a6b5233340255af6e6d4b%2F2023-07-08-13-20-49.png?alt=media) Let's check the hashes on crackstation * Here is the admin hash decoded ![admin](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-f2084b2518ff23623291c1e1f04505488065f6c0%2F2023-07-08-13-22-12.png?alt=media) * Bob's password ![Bob](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-8332ddbcb4aac9301a8aff573b9fafc59bda82a8%2F2023-07-08-13-23-57.png?alt=media) Crackstation does not crack Alice's password. We can now login as admin (turns out the note of the dev was on the login page😅) We get the flag. ## Command Injection (task 10) First let's make an `ls` for this we need to enter this in the form `$(ls)` ![ls](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-16ab9ccb73a605837ac4a82df234119e6aeba50f%2F2023-07-08-13-41-16.png?alt=media) To answer the second question we need to `cat /etc/passwd`\ For the next question `whoami`\ The answer to the 4th question is in /etc/passwd\ For the last question we need to `cat /etc/alpine-release` ## Insecure design (Task 11) For this I used the security question about the favorite color and tried different color until it worked. ![pass reset](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-770ee5792c5b51b36acca5f991530776f9d802bc%2F2023-07-08-13-57-11.png?alt=media) So now we can use the password and log in as joseph. Then we just need to check in joseph's private folder to get the flag. ## Security Misconfiguration (task 12) To read the content of the app.py we need to type `import os; print(os.popen("cat app.py").read())` ## Vulnerable and Outdated Components (Task 15) With a simple search we find an authenticated RCE on CSE Bookstore. We can get the exploit [here](https://www.exploit-db.com/exploits/47887)\ We get a shell\ ![rce](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-a4b1deb523f7d83868d50608f57d8941d2145bc1%2F2023-07-08-14-16-02.png?alt=media) We just need to cat the flag now. ## Identification and Authentication Failures (Task 17) Here we just need to register `darren` and `arthur` and it works. ## Software Integrity Failures Here we just need to do this ![hash](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-5bbbdc8f74dd119800dca3ee9d83e5f416d312a8%2F2023-07-08-14-27-36.png?alt=media) ## Data Integrity Failures Once logged in we get our jwt token\ ![JWT](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-00f4ec243476ae07302d94fef193ecacc5b326e8%2F2023-07-08-14-31-53.png?alt=media) `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNjg4ODQzNzIyfQ.Fm8_HaBydwrHZfsTKwFAnWFXicPHbyivUXfojVDF8pw` * We change algo to none `eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=` * We make ourselves admin `eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjg4ODQzNzIyfQ==` * Here is the new token `eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjg4ODQzNzIyfQ.` This way we get the flag ## Security Logging and Monitoring Failures From the provided txt file we can easily conclude that the attacker has ip 49.99.13.16 and is carrying out a brute force attack. ## SSRF (Task 22) If we go to the admin area we can see this ![localhost](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-35706ee01d859bf9a97c87483530df2c880da5f4%2F2023-07-08-14-43-31.png?alt=media) When we Dowload the resume it makes this request ![Resume](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-49bf737629d6b21c140db89a312476e5644183a7%2F2023-07-08-14-44-59.png?alt=media) This means we could try to send a request to our own server.\ Let's see if it works. It does our server gets requested, as we can see ![Request](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-998dafd67314016e2e671e37c5f83e195782c973%2F2023-07-08-14-48-04.png?alt=media) To get the api we need to intercept with netcat just like in they showed in the example so we just need to `nc -lvp 80`\ And we get the flag ### Access admin area My first error was to try this in the repeater.\ ![repeater](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-1761db852b42fee64fe418fa15309d61da770551%2F2023-07-08-15-09-54.png?alt=media) But when I copied the url from the request in the repeater I actually got the flag\ `http://:8087/download?server=localhost:8087/admin%23&id=1`