Continuing with part 2, in this article, I will guide you to exploit OWASP vulnerabilities such as Insecure Deserialization, Components With known Vulnerabilities, and Insufficient Logging & Monitoring in the OWASP Top 10 challenge.
TryHackMe: OWASP Top 10 Challenge [Phần 3]
Mission 21: [Mức độ nghiêm trọng 8] Insecure Deserialization
What applications are vulnerable?
Any application that stores or fetches data for which no authentication or integrity check is applied to the queried or stored data. Some examples of applications of this nature are:
- E-commerce website
- Forum
- API
- Runtimes applications (Tomcat, Jenkins, Jboss, …)
You can learn more about Insecure Deserialization here.
#1 Who developed the Tomcat application?
Answer: Apache Software Foundation
#2 What kind of attacks that crash services can be done with insecure decryption?
This definition is still quite broad. But can be understood like this, unsafe decryption is replacing the data processed by the application with malicious code; allows anything from DoS (Denial of Service) to RCE (Remote Malware Execution) that an attacker can use to gain a foothold in pentesting.
Answer: Denial of Service
Mission 22 [Mức độ nghiêm trọng 8] Unsecure Decryption – Object
#1 Choose the correct term of the following sentence:
if a dog was sleeping, would this be:
A) A State
B) A Behaviour
Answer: A Behaviour
Mission 23: [Mức độ nghiêm trọng 8] Insecure Deserialization — Deserialization
Suppose you have a password “password123” from a program that needs to be stored in a database on another system. To move across a network, this string/output needs to be converted to binary. Of course, the password needs to be stored as “password123” and not its binary string. When it reaches the database, it will be converted or deserialized back to “password123” to be stored.
#1 What is the name of the base 2 format in which data is sent over the network?
Answer: binary
Mission 24 [Mức độ nghiêm trọng 8] Insecure Deserialization — Cookies
#1 If the cookie has a path of webapp.com/login, what is the URL the user has to visit?
Answer: webapp.com/login
#2 What is the acronym for the web technology that Secure cookies work on?
Answer: Https
Mission 25: [Mức độ nghiêm trọng 8] Insecure Deserialization — Cookies Practical
I will log in to a website like the one below.
Create an account. No need to enter details, you can enter what you like.
Notice on the right, you have your details.
Right click on the page and hit “Inspect Element” then go to the “Storage” tab.
Check Encrypted Data
You will see here that there are both plaintext and base64 encoded cookies. The first flag will be found in one of these cookies.
Answer: THM{good_old_base64_huh}
Modify cookie value
Notice here that you have a cookie named “userType”. You are now a user, as confirmed by your information on the “myprofile” page.
This application defines what you can and cannot see by your userType. What if you want to be an administrator?
Double left click on the “Value” column of “userType” to modify the content. Let’s change our userType to “admin” and navigate to http://10.10.83.1/admin to get the second flag.
Answer: THM{hers_the_admin_flag}
Mission 26: [Mức độ nghiêm trọng 8] Insecure Deserialization — Code Execution
1. First, change the value of the userType cookie from “admin” to “user” and back to http://10.10.83.1/myprofile.
2. Then left click on the URL under “Exhange your vim” in the screenshot below.
3. Next left click on the URL under “Provide your feedback!” to a page like this:
#1 flag.txt
Change netcat ip.
Use command nano rce.py
Swap tryhackmyIP to the IP of that website.
Paste this into the “encodedPayload” cookie in your browser:
7. Make sure netcat is still running:
8. Refresh the page. It will hang, go back to netcat:
Answer: 4a69a7ff9fd68
Mission 29: [Mức độ nghiêm trọng 9] Components With Known Vulnerabilities — Lab
#1 How many characters are in /etc/passwd (using WC -c /etc/passwd for the answer)
Visit the website, as we see this is a normal book website.
Did a bit of research on vulnerabilities found in online bookstore sites and I found this.
Answer: 1611
Mission 30: [Mức độ nghiêm trọng 10] Insufficient Logging & Monitoring
We have to download the login-logs.txt file. Click download and save the file.
#1 What IP address is the attacker using?
We can use cat login-logs.txt and see all the frontends.
There is one person constantly accessing the system with different usernames.
Answer: 49.99.13.16
#2 What kind of attack is being performed?
HTTP 401 indicates that the request has not been applied because it lacks valid credentials for the target resource.
So I think it’s a brute force attack because we see that someone is repeatedly trying a password with a different username.
Answer: Brute Force
So this series is done. Are you looking forward to the other series? In addition, you can also see other challenges on tryhackme here.