OWASP Top 10
This room broken down into what seems like several days of material. We'll try and do our best to go through and "update" as we go along.
[Task 6] [Day 1] Command Injection Practical
This section covers Command Injection. Examples given are SQLi (SQL Injection) and arbitrary command execution. These can be defined as follows:
Reference for reverse shells for code execution: Pentest Monkey
Some provided examples of commands we can try executing if we think there is a shell present:
Linux
whoami
id
ifconfig/ip addr
uname -a
ps -ef
Windows
whoami
ver
ipconfig
tasklist
netstat -an
Task 6 - Question 1: What strange text file is in the website root directory
We access the PHP reverse shell that is provided for us to start running through some normal commands we might use on an already open and available system.
For this we can use the command:
We can even add switches to it if need be, such as:
Sift through the available files in this location and provide the answer that seems most obvious. The files / directories we are provided with are separated by spaces.
Task 6 - Question 2: How many non-root/non-service/non-daemon users are there
This was a fun one. It took me a minute, but I remembered that we can review the shadow file in order to see what users / accounts have /bin/bash access to a login shell on the system.
In the PHP Reverse shell I ran:
Then took the results into Visual Studio Code to try and space things out for easier review. Remember, we're looking for users who are non-root/non-service/non-daemon accounts.
Reference and review to for login shell and "listing users in Linux": Linuxize Blog
Task 6 - Question 3: What user is this app running as
Pretty simple question for us here, just run:
Task 6 - Question 4: What is the user's shell set as
This kind of takes us back to question 2 where we reviewed who all has a login shell, or shell access on the system.
We can easily bring back up the /etc/passwd file and review
Look for the type of "shell" this user has and we're all set!
Task 6 - Question 5: What version of Ubuntu is running
For this question we can review the notes from a previous room we've done - Linux Challenges
Long story short, we can use the following command to find the version information:
Task 6 - Question 6: Print out the MOTD. What favorite beverage is shown
Another callback to Linux Challenges where we see that the MOTD can be located by running:
[Task 8] [Day 2] Broken Authentication Practical
[Task 8] - Question 1: What is the flag that you found in darren's account
This was an interesting question to determine the why this exploit works. What I ended up doing was intercepting the traffic when I logged into my user " darren". What Burp Suite showed me was that it url-encoded the " " to be equivalent to "+darren".
With SQL not being set to properly sanitize my input, it ended up making a new user " darren" WITH the imported account settings from "darren".
[Task 12] [Day 3] Sensitive Data Exposure (Challenge)
Supporting material:
Some databases can be stored in a flat-file, this format might usually be an SQLite file. To interact with this flat-file database we can run through the following:
From here we can see the tables in the database by using the .tables command:
We can then see what information is inside the table in order to help us further query our data.
A useful online tool for cracking simple hashes - crackstation
[Task 12] - Question 1: The developer has left themselves a note indicating that there is sensitive data in a specific directory. What is the name of the mentioned directory
I ended up finding this by browsing around in the source code on the home page. Looks like we are able to access the sites assets directly. However, I intended to also review the source on /login which has a decent bit of intel there too ;)
[TASK 12] - Question 2: Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data
This is the ever so clear flat-file database!
[TASK 12] - Question 3: Use the supporting material to access the sensitive data. What is the password hash of the admin user
Download the database file, open a terminal and we can get to some cracking.
After we review the table info, we are easily able to understand which column has our users md5 hash for the password.
[Task 12] - Question 4: Crack the hash. What is the admin's plaintext password?
Grab the hash, throw it into the crackstation site. Inversely if you have hashcat installed we can do the following:
A solid breakdown of the above command can be found at 4armed.com.
Essentially the breakdown of our command is as follows:
If you happened to NOT have your rockyou.txt in the above directory you can use the following find command to locate a few files which may work.