— — — — — — — Content — — — — — — —
— Severity1.
— Severity2.
— Severity3.
— Severity4.
— Severity5.
— Severity6.
— Severity7.
— Severity8.
— Severity9.
— Severity10.
— Final Thoughts.
— — — — — — — — — — — — — — — — — — —
Task 1 Introduction
— [Read the material]
Task 2 Accessing machines
— [Read the material]
Task 3 [Severity 1] Injection
[Summary]
— Two types of injections. (SQL Injection and command injection)
— SQL injection uses SQL queries for input.
— Command injection uses arbitrary system commands on application servers. (aka reverse shell)
— Prevention:- [Allow input list on server] and [Input stripping].
Task 4 [Severity 1] OS Command Injection
[Summary]
— Web vulnerability that allows an attacker to take advantage of system call to execute OS commands on the server.
Task 5 [Severity 1] Command Injection Practical
[Summary]
— Two types of cmd inject:- [Active Cmd Inject] and [Blind Cmd Inject].
— Active Cmd Inject:- [return response] [ visible through several HTML elements].
— Blind Cmd Inject:- [make system command to server] [no response in HTML document].
What strange text file is in the website root directory?
— Go to [http://MACHINE_IP/evilshell.php].
— Read the given code and use [commandString] in the URL for finding the answer.
— [ls] — list the directories/files.
How many non-root/non-service/non-daemon users are there?
— [ps] — process status.
— [-e] — Write information for all processes.
— [-f] — Generate a full listing.
What user is this app running as?
What is the user’s shell set as?
— [grep] — tool used to search for a string of characters in a specified file.
— [/etc/passwd] — is a text file that contains the attributes of (i.e., basic information about) each user or account on a computer running Linux or another Unix-like operating system.
What version of Ubuntu is running?
— [lsb_release] — command displays LSB (Linux Standard Base) information about your specific Linux distribution, including version number, release codename, and distributor ID.
Print out the MOTD. What favorite beverage is shown?
— [use hint and search about 00-header].
Task 6 [Severity 2] Broken Authentication
[Summary]
— flaws in an authentication mechanism lead towards
- Brute force attacks
- Weak Session Cookies
- Use of weak credentials
— Prevention
- Strong password policy.
- Automatic lockout after a certain number of attempts.
- Implement Multi-Factor Authentication.
Task 7 [Severity 2] Broken Authentication Practical
What is the flag that you found in darren’s account?
— Follow the given instruction.
Now try to do the same trick and see if you can login as arthur.
What is the flag that you found in arthur’s account?
Task 8 [Severity 3] Sensitive Data Exposure (Introduction)
[Summary]
— Involves techniques such as a “Man in The Middle Attack”.
— Attacker would force user connections through a device that they control, then take advantage of weak encryption on any transmitted data to gain access to the intercepted information.
Task 9 [Severity 3] Sensitive Data Exposure (Supporting Material 1)
[Summary]
— Database attacks (mostly).
— Databases can also be stored as files referred to as “flat-file” databases.
— flat-file databases are stored as a file on the disk of a computer.
— Common format of the flat-file database is an SQLite database. and dedicated client for querying them on the command line is called “sqlite3”.
Task 10 [Severity 3] Sensitive Data Exposure (Supporting Material 2)
— [Read the material]
Task 11 [Severity 3] Sensitive Data Exposure (Challenge)
Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory.
What is the name of the mentioned directory?
— Check source page of [https://{ip}/login].
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
Crack the hash.
What is the admin’s plaintext password?
Login as the admin. What is the flag?
Task 12 [Severity 4] XML External Entity
[Summary]
— Vulnerability that abuses features of XML parsers/data.
— Cause Denial of Service (DoS) attack or could use XXE.
— Two types of XXE attacks: in-band and out-of-band (OOB-XXE).
— An in-band XXE:
-Attacker can receive an immediate response to the XXE payload.
— out-of-band XXE attacks:
-No immediate response from the web application.
-Output of XXE payload to some other file or their own server.
Task 13 [Severity 4 XML External Entity — eXtensible Markup Language
Full form of XML
Is it compulsory to have XML prolog in XML documents?
Can we validate XML documents against a schema?
How can we specify XML version and encoding in XML document?
Task 14 [Severity 4] XML External Entity — DTD
[Summary]
— DTD stands for Document Type Definition.
— Structure and the legal elements and attributes of an XML document.
[Give answers with the help of given material.]
Task 15 [Severity 4] XML External Entity — XXE Payload
[Summary]
— Files can be read by giving a path in XML code.
Task 16 [Severity 4] XML External Entity — Exploiting
What is the name of the user in /etc/passwd
Where is falcon’s SSH key located?
What are the first 18 characters for falcon’s private key
Task 17 [Severity 5] Broken Access Control
[Summary]
— website visitor is able to access the protected page/pages that they are not authorized to view, the access controls are broken.
Task 18 [Severity 5] Broken Access Control (IDOR Challenge)
[Summary]
— Insecure Direct Object Reference.
- Misconfiguration in user input.
Look at other users notes. What is the flag?
— After logging with the given credentials. Try changing the user ‘id’ in the URL to find other users.
— For finding multiple users, a burpsuit can be used.
— As for this task, I just changed ‘id’ into 0 as in computer science counting begins with 0,1,2,…
— Use logic — if id=1 is for noot then there should be other users on id=0.
Task 19 [Severity 6] Security Misconfiguration
[Summary]
— Security misconfigurations include:
-Having unnecessary features enabled.
-Error messages that are overly detailed.
-Poorly configured permissions.
— This vulnerability can often lead to:
-Default credentials.
-XXE or command injection on admin pages.
— In October 2016, Dyn (a DNS provider) was taken offline by one of the most memorable DDoS attacks of the past 10 years. The flood of traffic came mostly from the Internet of Things and networking devices like routers and modems, infected by the Mirai malware.
Hack into the webapp, and find the flag!
— login page appeared after going on the machine IP address.
— login page belongs to pensive notes. which means to find the default credentials of pensive notes for logging.
Task 20 [Severity 7] Cross-site Scripting
[Summary]
— Injection which can allow an attacker to execute malicious scripts and have it execute on a victim’s machine.
— Three main types:
-Reflected XSS.
-Stored XSS.
-DOM-Based XSS
— vulnerability that can be exploited to execute malicious Javascript on a victim’s machine.
Go to http://MACHINE_IP/reflected and craft a reflected XSS payload that will cause a popup saying “Hello”.
— Register yourself and enter the script in the search bar.
On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
Now navigate to http://MACHINE_IP/stored and make an account.
Then add a comment and see if you can insert some of your own HTML.
On the same page, create an alert popup box appear on the page with your document cookies.
Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.
— Use the given hint in search bar, flag will pop-up.
Task 21 [Severity 8] Insecure Deserialization
[Summary]
— Replace data with malicious code processed by application.
— This vulnerability is often a case-by-case basis — there is no reliable tool/framework for it.
Who developed the Tomcat application?
What type of attack that crashes services can be performed with insecure deserialization?
Task 22 [Severity 8] Insecure Deserialization — Objects
[Summary]
— objects are made up of two things:
- State
- Behaviour
— lamp — object.
— bulb — State.
— Switch on/off — Behaviour.
Task 23 [Severity 8] Insecure Deserialization — Deserialization
[Summary]
— Serialisation is the process of converting objects used in programming into simpler, compatible formatting for transmitting between systems or networks for further processing or storage.
— Deserialisation is the reverse of this; converting serialized information into their complex form — an object that the application will understand.
What is the name of the base-2 formatting that data is sent across a network as?
Task 24 [Severity 8] Insecure Deserialization — Cookies
[Summary]
— Created by a website and stored on the user’s computer.
— Websites use cookies to store user-specific behaviors like items in their shopping cart or session IDs.
— Cookies are not permanent storage solutions like databases.
If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
— The same path given in question have a cookie so the user visits the same URL.
What is the acronym for the web technology that Secure cookies work over?
— HTTP and HTTPS are protocols used for web technology.
Task 25 [Severity 8] Insecure Deserialization — Cookies Practical
1st flag (cookie value)
— Follow the given instructions and you will find your first base64 encoded flag which needs to be decoded.
2nd flag (admin dashboard)
— Go to the “/admin” directory and the second flag will appear.
Task 26 [Severity 8] Insecure Deserialization — Code Execution
— Follow the given instructions and you will end up with flag.
Task 27 [Severity 9] Components With Known Vulnerabilities — Intro
[Summary]
— Vulnerability is already well known, someone else has made an exploit for the vulnerability.
Task 28 [Severity 9] Components With Known Vulnerabilities — Exploit
[Summary]
— Usage of “exploit-DB”
Task 29 [Severity 9] Components With Known Vulnerabilities — Lab
[Summary]
— First, find the vulnerability in “exploit-DB” with an online bookstore name as the logged-in webpage is about bookstore.
— Execute the payload with python3.
Task 30 [Severity 10] Insufficient Logging and Monitoring
[Summary]
— Logging is important because, in the event of an incident, the attacker's actions can be traced.
— Impacts:
-Regulatory damage.
-Risk of further attacks.
— Logs do have some sensitive information on them so it's important to ensure that logs are stored securely.
What IP address is the attacker using?
What kind of attack is being carried out?
— According to the file, multiple attempts have made to bypass the admin credentials which means the brute-force attack is being carried out.
Final Thoughts
— The room was very easy yet interesting to learn about all OWASP 10 vulnerabilities.
— Thank you for reading, please provide your feedback. :)
