TryHackMe - OWASP Top 10 2021


If we access to note 0 we get the flag

Cryptographic failures (Task 8)

Here I did not find the note the developer left, however I always like to have a look at the images path. So i just right click on the image and "open image in new tab" We get this path /assets/images/lake-taupo.jpg If we go one directoy up, we can see that we have directory listing. If we go to the assets directory we can see a db file

We can save it and check it.

We get interesting data

Let's check the hashes on crackstation

  • Here is the admin hash decoded

  • Bob's password

Crackstation does not crack Alice's password.

We can now login as admin (turns out the note of the dev was on the login page😅)

We get the flag.

Command Injection (task 10)

First let's make an ls for this we need to enter this in the form $(ls)

To answer the second question we need to cat /etc/passwd For the next question whoami The answer to the 4th question is in /etc/passwd For the last question we need to cat /etc/alpine-release

Insecure design (Task 11)

For this I used the security question about the favorite color and tried different color until it worked.

So now we can use the password and log in as joseph.

Then we just need to check in joseph's private folder to get the flag.

Security Misconfiguration (task 12)

To read the content of the we need to type import os; print(os.popen("cat").read())

Vulnerable and Outdated Components (Task 15)

We just need to cat the flag now.

Identification and Authentication Failures (Task 17)

Here we just need to register darren and arthur and it works.

Software Integrity Failures

Here we just need to do this

Data Integrity Failures


  • We change algo to none eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=

  • We make ourselves admin eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjg4ODQzNzIyfQ==

  • Here is the new token


This way we get the flag

Security Logging and Monitoring Failures

From the provided txt file we can easily conclude that the attacker has ip and is carrying out a brute force attack.

SSRF (Task 22)

If we go to the admin area we can see this

When we Dowload the resume it makes this request

This means we could try to send a request to our own server. Let's see if it works. It does our server gets requested, as we can see

To get the api we need to intercept with netcat just like in they showed in the example so we just need to nc -lvp 80 And we get the flag

Access admin area

Last updated