OWASP Top 10 - 2021 Tryhackme Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi good morning everybody today I'm doing this walkthrough for the new room from tryhakme OS top 10. 2021 this was a good room there's a couple of labs we can go through so as an introduction this is the one we do one two three broken X control cryptography injection and secure design able and outdated content is software server side and all of that so let's start of course this is a starter machine usbp and I'm using the the attack box and then broken Access Control of course Broken Access Control we need to have bypass the authorization uh give yours is an example of YouTube where someone was able to bypass the authorization in YouTube and was able to access the private videos all of this can be added this is a bit too many a lot of reading is recommended about to go through it broken Access Control either very famous variability for many CTF easy rooms you can see the way that work here where you change your ID or any variable parameter here in the variables uh okay let's try this our first lab will be 10 10.219 two four three okay let's go there deploy the machine log with the user note and password test one two three four okay now we need to use it so we can see the content node we can see the ideas one so the idea of course check if there is any people there I remember this one it wasn't uh CTF for it will not find it because they do these tricks always that they want you to go through next next next and you don't find it and then you forget it's the smallest one but let's follow the uh start from one maybe it's lower so what is lower and then one so of course it's zero this is a classic city of things they do this little tricks where you think you the ID is going up and then what they do is the lowest one to trick you cryptographic failure um using the browser communication always encryption data this is related to cryptography cryptop cryptographic failures you can read about it here it's it's a bit complex cryptography but usually don't code your own cryptographic anything the most common way now with this is practice for the uh database most this database like MySQL and Mario DB they store in flat filed data uh if you did before some starter City if you can see this when you have a database you can access to database file you can access to it and then this is just a follow-up the next one will be the lab so basically this is getting the information this is just the work so this is the lab that we need to test now our knowledge here this is also we just give you enter we'll come back now just to this ones let's first activate our lab using Port 81 and then what is the name machine directory uh have a look around the web of course in any CTF plane around so we can just login he said what the developer had left something not indicating there is sensitive data okay Source this is also classic citizens sorry guys I didn't mistake I need to check it here view page source this is the note must remember to do something better with the deserted that stored in assets so the directory is asset what assets now let's access this asset file asset directories and then we can navigate to directory fund question one what files stand out of course what a CSS font image not stand the first standard is DB that's what DB is always something interesting that if you found it is always there use supporting method you know you come back here and say let's download this let me get there so let's follow now is an SQL if you like three yes access to it now and then we can use this argument table we'll get in the info for this table we need to check the tables first we have session users so the clear is the one interesting for us is of course the [Music] the is the user table so it look more interesting for us let's check that one so there is some kind of uh ID number zero one two then the user ID then text then what so use user ID username password and then and then this destructive and then we can get select everything from users and then we get that Center X go back to our questions he said what use what is the password hash for the admin you can see admin the third column is password this is the hash for the password so we get the password and the crack it crack it in crackstation there's a website for it It crack it to this query IOP or something it was very fast okay then the flag now if we log in login sorry add them in baby copy the password okay we got the flag no this one injection this SQL injection of course it's well known too where you can inject to change the syntax or something uh that's why you always need to sanitize the data that the user input here give us an example of command injection this is like where this application take a variable Moon and then the default and then do this and you can see here this in Linux is like this path through a function in PHP when it will get interpreted directly in the console so and this is a what we call them inline commands so we can do the dollar closing the command and then because there is no checking balance here so basically you can do whatever you want here in these things so let's practice here quickly now let's test let's say how are you of course it just follow the text and then show me the call so I can say list me the directory for example there is this file there instead what strange text The Strain text of course is this one so it's a Dr Pepper Dot txt how many no root no diamond users this we can find them if we do got Etc plus WD password okay no root no service no diamonds so most of these especially the service and no time they all have no login shell this is the route if you look around all of this they all have no login no login no login there's no normal user here in this system and use no login no login say all of them so this is nothing here what user is the US the user is it's a it's an application it's a web application any web application to run the Apache if Apache because Apache existed so it's an Apache web user web server will uh always run on the Apache if you use Apache what is the user's share set as Apaches use this one so that's the shell you find it always at the end lines um what version of Alpine Linux the version of like a Sim this is same as Ubuntu so it should be got Etc on points release I think so let's see oh totally forgot the dollar is sometimes what I'm doing wrong Etc Alpine not all points so it's a three six zero one okay we got that this is of course the problem is because this is a check there is no check balance here all the data get passed through directly so this yeah this was another room like that in triac me before I still remember it so this one what insecure design what is insecure and secure and secure design uh which inherent an application architecture said this one about architecture so the example we have now this is an Instagram example they said where you reset your password by SMS but the limit to 50 250 or 10 but they forget to check the the origin of the IP so the attacker can use cloud struct or something and then you can change the IP computer when computed I I do a WordPress website design I can see this a lot of you know firewall logs where they change their IPs uh uh I will check it later this room okay no I did I did it already Okay so now let's try input 55 so let's say to 55 now we need to reset the password I forget password now if we look here username is is Joseph Joseph this is your username now look what is your mother wherever it's a bit not easy to digress what is your first pet current address so our best option is the color of course we can check couple of colors uh say black I did before I was founded it's a green so and then we got a password now I can log as Joseph and password and then we log in and then a note to remember these new things private you find the plug so that's what so now when you reset the password in this funny question so you know no security misconfiguration uh from today occur when security could have been project configured but was not and this is usually when you have like for example if you have a website in service and you always need to have PHP error turned off so if an attacker doesn't see result in the error error because the air can give the attacker some kind of info and that's not really cool so now let's go to he said go to navigator and exploit so we need to go to the console this is uh I think it's the same software reason for one of the difficult rules okay let's try this script and let's see what it gives us okay so we can see we can just put the commander and we get less he said read the content of the file so if we need the contact agents to this I change that got up Dot py and then we have it we look with it look for the flag that's the flag that's a good flag in case you know because by showing the arrow is able to bypass the mechanism what does what is the database file database file this is the database file to do dot DB we don't know so we finish now is this variable an outdated component this is of course his window and keep software updates and things like that so the example they give you on WordPress so if you have your WordPress notes updated so you screwed up here so here's another one not available of course you if you're doing try hack me many times you know exploit debut and all of that you can download and exploit and you just do it straightforward now let's practice if we practice in 84 let's go to 84 okay we have this so we can see it's called CSE bookstore so if you go to exploit DB we can see it's ebook store authentication bypass now let's so you can see you already have the the code for us let me do this let me explore it download it it's download uh this is our first name let me open another tab okay let's see where is that file is uh so if I go to python python for minus eight what the hell I didn't download the file what exactly a download why is download it as txt although let me I think it's not this one let me search for it the bookstore wasn't yeah the latest one quantity per system uh Enterprise the price this is not a pizza or something what the hell this is an old one multiple unskilled injection uh color site hold on bookstore exploit and this one bookstore one editorizer remote code execution okay let's do that okay I think that's the correct one as there's a piece now we can uh for seven so you just need to put the URL the original case of course it's 10.10 a 219 .243 and the port is 84. let's see do you wish to launch this shell here yes I want to launch Siri you can see we already got the share so CD opt then that's the where is the flag cut opt like the text file okay so we got the flag so the exploit is that one so we can it's a straightforward exploit this one bullet unauthorized access okay that's the okay this is very very fast exploit and then what identification all syntication fail Brute Force attacking use weak credential we extension cookies then we give us the love and then our lab is in 1888 1888 okay let's understood this with the help of any example so there is an exist user admin and we want to ask the con the trick here is using space see we try to register with Darren so if for example if I register now with Darren and let's say Darren twine.com and password Darren he supposed to say error users already register but if I do space you know and this space here so it is the space button I'm just using the email .com one two three not be the space I was 640 registered so I can log in now space Darren and then the password one two three and then you allow me to access so the application is not really checking and filtering correctly then he said to you know this log out and then can you do with artha yeah we can register the same tricks space Arthur and then let's say other toy.com that pass one two three now I register now I can log in space Also one two three and then we got our flag too uh the next one software and date Integrity 70 the Integrity of course we know md5 shows oh sorry show all of that so someone before you download software you check when you download the check the shot to make sure there is no um manipulation of the code and things like that um this is software and directive usually for website we can see you can do this but modern browser now you can allow you to add certain Integrity which is this one where you can add the Integrity so the browser will not turn on this if anything change in the code and this will make you some kind of assurance that's why the the proper way to run the code now no what is the shot for this now of course this is just simple you can go to the website and then we have two five six and that's the shot okay now we come here and we got it now data Integrity failure uh this is usually data Integrity now we're going back to the cookies because when you log in your session will be stored in your cookie and then of course if you manipulate the cookie we can log with another user of course there is some kind of protection mechanism is a Json web token JWT that was an earlier version of it that was a weakness on it and that's the lab will test it so we have three parts they heard the payload the Signet what somehow I can realize it if they change the header to say known they remove the signator but they allow the point at the end they don't remove it so basically you get you can change the session now let's practice this principle here now we go to this the cookie try login application as a guest of course if it's a guess a password will be guessed so it's hold on I did mistake here already so the idea now can we can can we we bypass this and become admin of course now let's go to Firefox inspect storage this is a cookie that's the GW cookie you know this is our cookie so now what is the name of the website cookie container you can see it's a JW sessions JWT session noise token of course which one you give us this to decode and decode so let's take no hold this session out this is the food session now let's do this the first part let's decode it so it gives us this so we said we change this to none now the second part we can decode it to now we have this and we want to access to admin so we have two elements no no let's encode the first one and give us this then we do point then we encode the second one point and then don't forget the other point and then we don't put the signator so let's try that so we did this this technique here so this is our new no economy remove let me paste my own let me finish this page now I got the cookie of course for the updated version of gw2 this window is not possible so that's the idea so you have the first line the second the third the signal to remove it because you put none here so this one let's continue no let's download me uh uh okay of course this is a login this course is important in security you need to log Monitor and all of that so what IB address is the attacker using you can see now this okay okay then authorizing authorized so basically it's of course is this one and you can guess what is uh and you can guess what he's doing here it is admin administrator autonomous truth is brute force in the login where it falls uh server-side request version 4G this is a when known where you you let your brother server trust you're using another client and some kind of trust between the client and the server the example we're given here is SMS portal when an application can know the issue of this application is exposing where it is going to send the SMS so the hacker can just do change the the server to his own server so the message I suppose the client send it to the service server send it to someone will be intercepted now to this concept so we go to 887 let's have this concept here you'll find the similar perfect explain which should be admin area so if we go to admin area okay so it said it's only localhost another one it remind me but another try hack me CTF room about this localhost stories shake down on the resume button where is download the resume button okay look this resume button what we see copy link if you go there we can see here is the variable download this is serve and then there is this so we can change to our server our IP so I can say send whatever you want to send to me let's say 10.10.162 this is my IP address for the Box since 1010 162 127 and then okay we can send it in that part it's fine I can just turn NC minus lvnp listen to 8087 fine you can use a new part that is there now after I change now I will get normally I will get something okay we got a reply here so seven I send it to us and now we intercept the information well this is the check the reason where does the servicing parameter point to oh yeah I did delete it yeah the server to secure Dash filestorage.com to secure this is the file here you can see when you put your mouse down here we have it here so to secure.com that's where you send it to we go the flag of course from from this going extra there is a way to use ssrf to gain access to the site admin area can you find it no I didn't do this yet I would do it maybe another video later on I'm a bit busy today you don't need this flight to progress okay it's fine I will check it later on what is next we done next now we finish guys I'll I'll I'll put the note not to forget to do this so we'll try to figure it out later on

Info

Channel: Djalil Ayed

Views: 20,433

Rating: undefined out of 5

Keywords: OWASP Top 10 - 2021, Tryhackme, Tryhackme Walkthrough, OWASP Top 10 - 2021 Tryhackme, OWASP Top 10, OWASP Top 10 Tryhackme, owasptop10, owasp, owasp top 10, owasp top 10 explained, owasp top 10 tryhackme, owasp top 10 tryhackme walkthrough, tryhackme owasp top 10

Id: aFdv9vSg-V4

Channel Id: undefined

Length: 33min 35sec (2015 seconds)

Published: Wed Mar 08 2023