Learn one of the OWASP vulnerabilities every day for 10 days in a row. A new task will be revealed every day, where each task will be independent from the previous one. These challenges will cover each OWASP topic:
My First Try at Hacking Lab Write-Ups ;)
Vulnerability: Injection
Target: http://MACHINE_IP/evilshell.php.
Simple Description: A Search bar is given, we also know that the PHP Code for the same allows command injection
Questions:
Question 1: What strange textfile is in the website root directory ?
My Solution:
A simple ls
command gave away the name of a textfile.
Ideally, I should have also checked the root directory using pwd
.
Question 2: How many non-root/non-service/non-daemon users are there ?
My Solution:
This seemed difficult at first, on running cat /etc/passwd
, even though all the users were displayed, still I wasn't able to figure out much.
I searched up online and then used cut -d: -f1 /etc/passwd
to get only the usernames. Comparing this output with a similar output on my own
terminal led me to realise that there are no such non-special users.
Question 3: What user is this app running as ?
My Solution:
This was easy, a simple whoami
did the task.
Question 4: What is the user's shell set as ?
My Solution:
This was the trickiest in my opinion. I used this amazing guide on the forums to figure it out. Link to the Article. On deeper analysis of the cat /etc/passwd
result. We find the answer. I owe this answer fully to this article. I realised that I needed to know what cat /etc/passwd
actually gave.
Question 5: What version of Ubuntu is running ?
My Solution:
This again was pretty easy. lsb_release -a
did the job.
Question 6: Print out the MOTD. What favorite beverage is shown ?
My Solution:
I tried a pretty amateur apporach at this. On opening the contents of the file that we found in *Question 1*, I thought I'd try out the same as the answer and it worked!
Yet actually, (again had to use this article) the "message-of-the-day" file had been changed to "00-header" as mentioned in the *Hint*.Thus, using cat /etc/update-motd.d/00-header
, the answer was finally revealed.
Answers: (CAUTION!: If you are also trying this machine, I'd suggest you to maximise your own effort, and then only come and seek the answers. Thanks.)
Q1: drpepper.txt
Q2: 0
Q3: www-data
Q4: /usr/sbin/nologin
Q5: 18.04.4
Q6: Dr Pepper
Vulnerability: Broken Authentication
Target: http://MACHINE_IP:8888
Simple Description: A SignIn Button and a Register Button is given on the top, 2 fields are given for Sign-Up and a new set of 3 fields is opened up on Registration
Questions:
Question 1: What is the flag that you found in darren's account ?
My Solution:
We are given that there is an account named darren
which contains a flag. To access this account, if we try something like darren
(Notice the space at the end), or even darren
(3 spaces in the front), for REGISTERING a new account and then we try Logging in with this account. Then we are able to access the account details, in this case, the flag from the actual darren account.
Question 2: Now try to do the same trick and see if you can login as arthur.
Not Solution Based, only apply the above method again.
Question 3: What is the flag that you found in arthur's account ?
My Solution:
By trying the same method as in Darren's account, we are able to reach the flag in this one too!
What's important though, is going to the next level. Thus, I tried out various different types of alternative inputs like arthur.
art hur
_arthur
"arthur"
.
Well, none of those actually work and thus I realised that only blank spaces can be used to check Broken Authentication successfully.
Answers: (CAUTION!: If you are also trying this machine, I'd suggest you to maximise your own effort, and then only come and seek the answers. Thanks.)
Q1: fe86079416a21a3c99937fea8874b667
Q2: No Answer Required
Q3: d9ac0f7db4fda460ac3edeb75d75e16e
Vulnerability: Sensitive Data Exposure
Target: http://MACHINE_IP
Simple Description: A wesbites is given. We need to access the SQLite database and find crucial leaked information
Questions:
Question 1: What is the name of the mentioned directory ?
My Solution:
I used the hint for this. But after that it became pretty clear. An important point to be noted is that View Page Source and more over looking it at very closely is a really necessary skill that all budding Ethical Hackers and Security Researchers need to understand!
Question 2: Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data ?
My Solution:
This was pretty simple. When sensitive data is directly under the root directory, then you can directly see the "database file" that we need to access.
Question 3: Use the supporting material to access the sensitive data. What is the password hash of the admin user ?
My Solution:
This requires understanding the support material about SQLite Databases. The basics are as follows:
- Run
file
in the terminal. This gives you the "File Type" and "Version" of the same file-type. - Since it is an SQLite DB, we use
sqlite3
to access the tables under it. - A really important command to be used is
.help
. Infact, we should use this anywhere and everywhere, if we're unfamiliar to the specific command.
Question 4: Crack the hash. What is the admin's plaintext password ?
My Solution:
Crack-Station is the "go-to" place for Cracking Hashes. What's more interesting is that you can download the 15GB wordlist for your own use as well!
Question 5: Login as the admin. What is the flag ?
My Solution:
Once we have the admin access from the SQLite Database, we just need to login as admin and the flag appears right there.
Answers: (CAUTION!: If you are also trying this machine, I'd suggest you to maximise your own effort, and then only come and seek the answers. Thanks.)
Q1: /assets
Q2: webapp.db
Q3: 6eea9b7ef19179a06954edd0f6c05ceb
Q4: qwertyuiop
Q5: THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
Bonus:
This was really fun to try out. Here goes the description for the same:
To spice things up a bit, in addition to the usual daily prize draw this box also harbours a special prize: a voucher for a one month subscription to TryHackMe. There may or may not be another hint hidden on the box, should you need it, but for the time being here's a starting point: boxes are boring, escape 'em at every opportunity.
I tried various things here, ssh
, nmap
, metasploit
, but unfortunately, I failed to get through or even find the answer. I wasn't disheartened though. This bonus question has been an amazing learning experience 😊