Introduction

Read the above.

No answer needed

Accessing machines

Connect to our network or deploy the Attack Box

No answer needed

[Severity 1] Injection

I've understood Injection attacks.

No answer needed

[Severity 1] OS Command Injection

I've understood command injection.

No answer needed

[Severity 1]Command Injection Practical

What strange text file is in the website root directory?

Enter ls into the shell input.

drpepper.txt

How many non-root/non-service/non-daemon users are there?

Enter getent passwd to get a list of all users.

What user is this app running as?

Enter whoami

www-data

What is the user's shell set as?

Enter getent passwd | grep www-data the value after the last ":" is the answer /usr/sbin/nologin

What version of Ubuntu is running?

Enter lsb_release -a 18.0.4

Print out the MOTD. What favorite beverage is shown?

Use ls /etc | grep motd to get the directories associated with motd. Then use ls /etc/update-motd.d to get all files within the directory. Use cat /etc/update-motd.d/header00 and search for the answer at the end of the file.

DR PEPPER

[Severity 2] Broken Authentication

I've understood broken authentication mechanisms.

No answer needed

[Severity 2] Broken Authentication Practical

What is the flag that you found in darren's account?

Click on "Register" and register as " darren"(with a space in front of the name). Then login with the registered credentials and get the flag.

fe86079416a21a3c99937fea8874b667

Now try to do the same trick and see if you can login as arthur.

No answer needed

What is the flag that you found in arthur's account?

Click on "Register" and register as " arthur"(with a space in front of the name). Then login with the registered credentials and get the flag.

d9ac0f7db4fda460ac3edeb75d75e16e

[Severity 3] Sensitive Data Exposure (Introduction)

Read the introduction to Sensitive Data Exposure and deploy the machine.

No answer needed

[Severity 3] Sensitive Data Exposure (Supporting Material 1)

Read and understand the supporting material on SQLite Databases.

No answer needed

[Severity 3] Sensitive Data Exposure (Supporting Material 2)

Read the supporting material about cracking hashes.

No answer needed

[Severity 3] Sensitive Data Exposure (Challenge)

What is the name of the mentioned directory?

Use gobuster dir --url IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt in your terminal.

/assets

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Navigate to "IP/assets":

webapp.db

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Use wget IP/assets/webapp.db to download the database and open it using sqlite3 webapp.db. Enter .tables to get a list of all tables. You will see that there is a table called "users". Use SELECT * FROM users to get the answer. The hash is the value after the user name:

6eea9b7ef19179a06954edd0f6c05ceb

Crack the hash.
What is the admin's plaintext password?

Copy the hash and use "crackstation.net" to crack the hash.

qwertyuiop

Login as the admin. What is the flag?

THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

[Severity 4] XML External Entity

Deploy the machine attached to the task

No answer needed

[Severity 4] XML External Entity - eXtensible Markup Language

Full form of XML

Extensible Markup Language

Is it compulsory to have XML prolog in XML documents?

Can we validate XML documents against a schema?

yes

How can we specify XML version and encoding in XML document?

XML prolog

[Severity 4] XML External Entity - DTD

How do you define a new ELEMENT?

!ELEMENT

How do you define a ROOT element?

!DOCTYPE

How do you define a new ENTITY?

!ENTITY

[Severity 4] XML External Entity - XXE Payload

Try the payload mentioned in description on the website.

No answer needed

[Severity 4] XML External Entity - Exploiting

Try to display your own name using any payload.

No answer needed

See if you can read the /etc/passwd

No answer needed

What is the name of the user in /etc/passwd

Use the payload <script>alert(/etc/passwd)</script>

falcon

Where is falcon's SSH key located?

/home/falcon/.ssh/id_rsa

What are the first 18 characters for falcon's private key

MIIEogIBAAKCAQEA7

[Severity 5] Broken Access Control

Read and understand how broken access control works.

No answer needed

[Severity 5] Broken Access Control (IDOR Challenge)

Read and understand how IDOR works.

No answer needed

Deploy the machine and go to http://MACHINE_IP - Login with the username being noot and the password test1234.

No answer needed

Look at other users notes. What is the flag?

flag{fivefourthree}

[Severity 6] Security Misconfiguration

Deploy the VM

No answer needed

Hack into the webapp, and find the flag!

Use a search engine such as google to look-up the default password for "Pensive Notes". After you find the credentials you can log in and find the flag.

thm{4b9513968fd564a87b28aa1f9d672e17}

[Severity 7] Cross-site Scripting

Deploy the VM

No answer needed

Navigate to http://MACHINE_IP/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".

Go to the machine-site and register a user-account (use something trivial such as "test:test"). Go to the "Reflective XSS"-subsite and enter <script>alert(Hello)</script> and press the "Search"-button to get the answer.

ThereIsMoreToXSSThanYouThink

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

Insert <script>alert(window.location.hostname)</script>and press the "Search"-button.

ReflectiveXss4TheWin

Now navigate to http://MACHINE_IP/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.
Then add a comment and see if you can insert some of your own HTML.

Navigate to "Stored XSS"-page. Enter <img src=x onerror=alert(1)/> as comment.

HTML_T4gs

On the same page, create an alert popup box appear on the page with your document cookies.

Enter <img src=x onerror=alert(document.cookie) />

W3LL_D0N3_LVL2

Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.

Insert <script> document.getElementById("thm-title").innerHTML = "I am a hacker"; </script>.

websites_can_be_easily_defaced_with_xss

[Severity 8] Insecure Deserialization

Who developed the Tomcat application?

The Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialization?

Denial of Service

[Severity 8] Insecure Deserialization - Objects

Select the correct term of the following statement:
if a dog was sleeping, would this be:
A) A State
B) A Behaviour

A Behaviour

[Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

Binary

[Severity 8] Insecure Deserialization - Cookies

If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

webapp.com/login

What is the acronym for the web technology that Secure cookies work over?

HTTPS

[Severity 8] Insecure Deserialization - Cookies Practical

1st flag (cookie value)

Register to the website: On the start-site, inspect the site. Look into the storage and select the "sessionID"-cookie. Copy the value and decode it using base64.

THM{good_old_base64_huh}

2nd flag (admin dashboard)

In the developer tools change the user type from "user" to "admin". Refresh the site and you get the next flag.

THM{heres_the_admin_flag}

[Severity 8] Insecure Deserialization - Code Execution

flag.txt

Download the rce.py and edit the file to include your IP and the port you want to use. Execute the python-script and copy the generated payload. Start a listener using nc -lnvp PORT. Click on the 2nd Message: "Exchange your vim". Open the Developer tools and exchange the encoded cookie with the created payload. Click on "Provide your feedback" and a remote shell will open. Change the directory using cd .. and open the file using cat flag.txt to get the flag.

4a69a7ff9fd68

[Severity 9] Components With Known Vulnerabilities - Intro

Read above.

No answer needed

[Severity 9] Components With Known Vulnerabilities - Exploit

Read the above!

No answer needed

[Severity 9] Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

Use exploit-db to find vulnerabilities regarding the bookstore webpage.

Note: Search for "Book Store" instead of "Bookstore" to find a wider variety of possible exploits

Find the exploit for a remote code execution and download the script. Run the script with the MACHINE_IP and you will get a remote shell. After the shell is established run wc -c /etc/passwdto get the answer.

1611

[Severity 10] Insufficient Logging and Monitoring

What IP address is the attacker using?

Download the file provided by TryHackMe. Open the textfile. You fill see that there are multiple different logins from the same IP.

49.99.13.16

What kind of attack is being carried out?

Brute Force

What Next?

Read the above!

No answer needed

THM OWASP Top 10 - grunt92/IT-Sec-WriteUps GitHub Wiki

Introduction

Read the above.

Accessing machines

Connect to our network or deploy the Attack Box

[Severity 1] Injection

I've understood Injection attacks.

[Severity 1] OS Command Injection

I've understood command injection.

[Severity 1]Command Injection Practical

What strange text file is in the website root directory?

How many non-root/non-service/non-daemon users are there?

What user is this app running as?

What is the user's shell set as?

What version of Ubuntu is running?

Print out the MOTD. What favorite beverage is shown?

[Severity 2] Broken Authentication

I've understood broken authentication mechanisms.

[Severity 2] Broken Authentication Practical

What is the flag that you found in darren's account?

Now try to do the same trick and see if you can login as arthur.

What is the flag that you found in arthur's account?

[Severity 3] Sensitive Data Exposure (Introduction)

Read the introduction to Sensitive Data Exposure and deploy the machine.

[Severity 3] Sensitive Data Exposure (Supporting Material 1)

Read and understand the supporting material on SQLite Databases.

[Severity 3] Sensitive Data Exposure (Supporting Material 2)

Read the supporting material about cracking hashes.

[Severity 3] Sensitive Data Exposure (Challenge)

What is the name of the mentioned directory?

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Crack the hash.What is the admin's plaintext password?

Login as the admin. What is the flag?

[Severity 4] XML External Entity

Deploy the machine attached to the task

[Severity 4] XML External Entity - eXtensible Markup Language

Full form of XML

Is it compulsory to have XML prolog in XML documents?

Can we validate XML documents against a schema?

How can we specify XML version and encoding in XML document?

[Severity 4] XML External Entity - DTD

How do you define a new ELEMENT?

How do you define a ROOT element?

How do you define a new ENTITY?

[Severity 4] XML External Entity - XXE Payload

Try the payload mentioned in description on the website.

[Severity 4] XML External Entity - Exploiting

Try to display your own name using any payload.

See if you can read the /etc/passwd

What is the name of the user in /etc/passwd

Where is falcon's SSH key located?

What are the first 18 characters for falcon's private key

[Severity 5] Broken Access Control

Read and understand how broken access control works.

[Severity 5] Broken Access Control (IDOR Challenge)

Read and understand how IDOR works.

Deploy the machine and go to http://MACHINE_IP - Login with the username being noot and the password test1234.

Look at other users notes. What is the flag?

[Severity 6] Security Misconfiguration

Deploy the VM

Hack into the webapp, and find the flag!

[Severity 7] Cross-site Scripting

Deploy the VM

Navigate to http://MACHINE_IP/ in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

Now navigate to http://MACHINE_IP/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.Then add a comment and see if you can insert some of your own HTML.

On the same page, create an alert popup box appear on the page with your document cookies.

Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.

[Severity 8] Insecure Deserialization

Who developed the Tomcat application?

What type of attack that crashes services can be performed with insecure deserialization?

[Severity 8] Insecure Deserialization - Objects

Select the correct term of the following statement:if a dog was sleeping, would this be:A) A StateB) A Behaviour

[Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

[Severity 8] Insecure Deserialization - Cookies

If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

What is the acronym for the web technology that Secure cookies work over?

[Severity 8] Insecure Deserialization - Cookies Practical

Crack the hash.
What is the admin's plaintext password?

Now navigate to http://MACHINE_IP/ in your browser and click on the "Stored XSS" tab on the navbar; make an account.
Then add a comment and see if you can insert some of your own HTML.

Select the correct term of the following statement:
if a dog was sleeping, would this be:
A) A State
B) A Behaviour

⚠️ GitHub.com Fallback ⚠️