TryHackMe - OWASP Top 10 (2021) - Live Walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey YouTube I am Tiberius and you're about to watch an edited recording of a twitch stream you can check out my twitch using the link in the video description if you enjoy the content please consider giving it a like and subscribing to my channel thank you and enjoy the video so yeah we've got this OAS top 10 room which I mean my uh my thoughts on the year was Top 10 are varied um I kind of think nowadays it's kind of a bit silly uh but we you know we'll go through it and we'll see what happens so let's start the machine okay so we're gonna go down there was top 10 of 2021 um which is an interesting top 10. for one um broken access control I agree is number one uh this is great I don't agree that cryptographic failures is number two injection is just a silly category because it covers everything from cross-site scripting to SQL injection to command injections so it's kind of just a stupid it's a catch-all injection category which I just don't agree with uh insecure design is ridiculous that's the catch-all category for if you don't know where to put a cat to put anything um and then we never go down and then for some reason the server side request forger just appears at the end um so yeah the issue with the top 10 as I've spoken about a number of times before is the way it started out it was the top 10 web vulnerabilities and then it's sort of then everybody started using it like it they were the only 10 vulnerabilities um and so slowly over time it sort of morphed into these categories I mean some of them aren't even categories like obviously injection is a category right but ssrf isn't a category ssrf is its own vulnerability however security logging and monitoring failures is a category so it's just weird they seem to basically have tried to cram every single web application vulnerability into this list of 10 which I just think is done also o wasp so this is the O wasp top 10 but oasp doesn't even stand for the open web application security project anymore they are now the open worldwide application security project because apparently having web in your name was just too bad so yeah okay we're not going to read over this because I feel like I can explain as we go along um we'll just go to the challenges okay the idol challenge right deploy the machine and go to this URL alright so we will open we're going to use burp okay try hack me note server I'm going to use the name Newt and the password test1234 okay this room is very very beginning level that's okay that means we'll get through it fast and then we can go on to some fun stuff okay so we have a note ID of one so does anyone know what Idol stands for insecure direct object yes reference as they are um so basically one idor is it basically is where you have some kind of parameter you might not be able to see that there is a one in the URL maybe if I go to here actually it might be a little bit easier um so we have this no ID equals one so this is a reference right um it's a reference to a note object the term object is very Loosely defined in idle it's a direct object reference because there is a there is one note with an ID of one right so basically you're directly referencing the note with id1 and the insecure part is because technically this is my note right I'm logged in as what was it newt this is my note only I should be able to access this note but if we go to repeater we can change this values if we change to a zero we probably don't get anything let's just render no we do okay we've changed at zero we get the flag right but if we change it to two we get another note okay this isn't this is an hour note change to three we get another note you're not supposed to see the snow which means you're on the right track so this is what we're doing so we could keep going up like this do no ID stuff I mean yeah we we figured this out so there's no ID of zero okay so the vulnerability here is that you can literally even though this note ID is is bound to a user specifically uh you should have it render's been there for ages so even though his note ID should be associated with a specific user uh they're not they're not checking the user when we load the note ID uh what we can do is we can send this to Intruder though so let's just say we we have this set to one and go to payloads numbers and then we can do a range so we could try negative one all the way to a hundred stepping by one we don't want any fractions we go to settings extract and then we scroll all the way down I have to refresh the response actually I mean you're going to scroll all the way down to this section the pre and we're going to select everything in between the pre-tags and then if we start the attack what we'll find is that we can extract all of the notes so the last note is number five we all went all the way up to 100 didn't get anything but there's the flag so we can copy this flag thank you for following a super simple attack uh very um common as well okay cryptographic failures um okay so I guess this is the fact that they are storing password hashes in security I guess again we're not going to we're not going to read over all this we might mostly here just to do the challenges but it looks like they have a password hash um which we can obviously use oops you can use name that hash to try and figure out it's most likely md5 um let me just oh talk to him um so we'll be going to Five Dot txt put it in there and then can we just use John so word list rock you format is going to be raw Dash md5 and then md5 and if the password is password so anyone in chat know why we shouldn't use md5 or very specifically why we shouldn't use just md5 md5 is bad for storing passwords but there are a few reasons why md5 is is no longer suitable for storing passwords okay basically we did all this first challenge collisions collisions are definitely something md5 is not secure it can be I mean every every hashing algorithm can be cracked thank you for following md5 isn't so broken that you could take an md5 hash and easily reverse it to gosh you you generally can't reverse fd5 um there are a few issues with only five specific to passwords though thank you for following okay so we're actually gonna okay here okay we're exploring this application finally we have a login uh there's a comment must remember to do better with the database and store it in assets oh God okay the database is in assets which I think was one of the questions right here thank you for following okay we have a web app database so let's download I'm just going to copy the URL thank you for following we're just gonna W get it uh we'll use file to figure out what type it's an sqlite database so we'll use SQL lite3 okay um you've got tables we have sessions and users uh so we do select all from users okay and we have a couple of things here um is it like dot columns dot help um how do I describe I'm terrible actually using sqlite schema that's it okay so the table uses as a user ID a username and password and admin so if we do that select again it also it doesn't have a user ID what am I talking about no it does wait what hang on right this is the user ID user ID username this is the password okay God that took a while all right so we've got an admin.hash we can use name that hash uh file it's md5 so we can just use John again there's the password hey Al did you miss the uh explanation explanation of um rainbow tables login as the admin all right we can log in as the admin hooray the flag okay injection and this is another reason why I mean this yeah so I'm imagining this entire um room doesn't deal with xss because the only types of injection they've mentioned here are SQL in command whereas in the top 10 of 2021 cross-site scripting is lumped in with the injection vulnerabilities which technically it's true xss is a stupid name it should be JavaScript injection it always has been um so yeah it's weird but I'm guessing there's no xss in this top 10 which makes like in this room which is kind of silly all right do we have navigate here yeah exercise because it's such an old vulnerability it was the the main use for do for it in the first place was actually doing cross-site attacks okay um so exploit the Cal State server okay so let's just do Tiberius just do tucks okay let's have a look at the request sent to repeater um okay what we'll do is we'll match submit and we'll scroll down to it I guess maybe can we just match on pre yeah we'll scroll down to pre good okay so we can just try messing with this okay so we put a single quote in tux causes that if you put a single quote in test what happens does that um what happens if we do a double quote nothing the button this nothing okay um as we do a semicolon okay a semicolon and we get our original input notably without a semicolon which means this is yeah probably gonna be a basic command injection a lot of times if we do a semicolon here I guess any cut on there also seems to basically even though we have a test it's gotten rid of it which means the command is probably something so there is a cow say command on Linux I don't know if it is in search cow say let's just freaking install it I mean why doesn't Cali come pre-installed cow say utterly ridiculous all right so we've got cow say uh so we do Cal State Test there we go now presumably the file the cow file is what's what tux is doing I guess but either way so I'm going to assume by the fact that if we send it normally we get test here but if we put a semicolon after tax we don't get tests which means likely what's happening is the command looks like this uh it's probably gonna be something like tux and then test right and so now if you if obviously if you put a semicolon there then it's not going to actually say anything maybe not actually okay oh because I haven't got a file called tux but it's probably going to do something like I don't know actually maybe I'm wrong either way I'm just going to put an echo after this and see what happens yeah there we go we get test back so I don't actually know can you just can you do anything other than holds a sample of set Cal files all right let's have a look at this oh okay so if we do right okay that makes sense so this is probably the command right Cal State F tucks test to get this so if we put a semicolon here we just get tucked saying nothing which didn't seem to work before but whatever maybe my cow say is different either way if we put an echo here what's happening is we're basically doing this right let's just imagine that tux does say nothing I'm just going to put nothing in quotes okay I don't know what's going on why won't tucks say anything let me see what would help if it actually told me what these properties were new subscriptions um dispensing gratitude gratitude dispensed I have no idea what this does anyway either way we figured out if we put an echo here we get the output down here um which means we can probably just take out this and put an echo Tiberius up here yeah so we can just use this we can do ID now and get our ID there's a bunch of things we could do technically if we wanted to I bet we could instead of putting a string here we could probably put a command in backticks yes we could probably put this command with a dollar sign in parentheses yes so let's just let's get talks to say what we want so it's saying well strange text file is in the root directory okay so we need to just do an LS you know what let's just do LS 1 okay I guess it doesn't like finish one I'm just gonna use it less so we have a Dr pepper.txt how many non-root non-service non-demon users are there okay so that's just going to be cutting Etsy password you need to put space there making tuck say this was probably a bad idea so what I'm going to do instead it means we're just gonna we're gonna I'm just gonna put it here that's a little better more readable okay um how many non-root non-service non-demon users are there okay uh hero sorry hack sourcesm66 thank you for the gift sub to Mean Machine Rex okay so non-root non-demon I'm guessing it just means um users actually that is a good question what does it mean by this non-root non-service non-demon users um I'm gonna Hazard a guess and say it's is it these is it just three I don't know actually that's complicated question um non-service and non-demon and there's only like the answer is between one and nine like non-root obviously is not this non-demon equals not this but they're non-service like bin is bin technically a we want no login oh okay that makes more sense um so we could probably just grab uh Dash V um no log so I'm guessing just three maybe let's see no um I'm really not sure what the question even means did it did it like and give a clue the normal draw is right I mean I'm gonna say maybe the guest account because honestly oh hang on Cyrus two maybe Cyrus in the guest account okay just the guest just Cyrus no screw I'm just gonna go through and try and figure out let's see whoops thank you for following we're almost there okay what is it zero [ __ ] stupid question was this it could have just said how many like regular user accounts I guess because yeah there aren't any because regular user accounts start with a thousand but the way they phrase this question was dumb non-root non-service non-demon users like the Cyrus user I don't really understand that clearly that's for some service that I'm not aware of but anyway what a stupid question uh what uses the app running ads so we obviously just can just do ID here Apache what is the users uses shell set as um so actually we can likely just do Echo uh dollar sign zero sh uh can we then just do which oh hang on sorry which and then echo in is it just bin sh it no so I guess it just wants us to look in the stupid freaking NC password file again that's dumb yeah there's shells set to that but the shell we've got is not that what version of Alpine Linux okay so probably want to do it's either going to be you name um well we're gonna have to look into OS release uh which I'm guessing we're gonna have to look in OS release so let's see uh OS Dash release there we go three point one six point zero okay that was ridiculous these straight yeah these streams are saved as vods okay so um insecure design the catch-all one uh let's just see what insecure design they've got in this stupid thing then a file server there's a forgot my password thing oh sorry hang on a minute okay good let's go to forgot my password please enter your did it tell us to Joseph okay so we need Joseph's account okay use a Joseph [Music] um so mother's sister's sons nephews friends and neighbors friend's name um let's do test incorrect answer um okay well we're gonna go favorite color I imagine the insecure designers you can just keep guessing here so what we can do is we can send this to intruder select this and then is there a nice list of colors um GitHub lovely paste that um and then what we want to do we we basically want to match this but I want to make sure we're actually matching it correctly okay so it's just plain text that's fine so we're going to go to clear uh we're gonna enter this flag results with that that's good oh okay another one actually worked what oh because of the redirect crap hang on a minute discard um where's follow redirects it's down here somewhere isn't it yes always follow redirects and processed cookies okay well that one there we go it was green apparently so yeah we just tried all the all the colors and eventually hit that will you ever switch to Brave you mean the brave browser like why why would I want to do that this is all the colors Al all right there are no other colors than these 166. thank you for following including zucchini okay notes remember to move private files out of the server yay flag okay cool um but I did see cat images we clearly have to look at cat images monorail cat classic and they told me I could be anything so I became a cannonball all right this this machine has redeemed itself can you show you a grip match again um or explain why you're not your matching for the error so yeah I was matching for the error because I wanted to see um like we were clearly we were basically trying to Brute Force the the question and I know what the incorrect answer gives us right it gives us this so by using Intruders grep I wanted to just match the responses which included this and then effectively I sorted by that and I went down and the first one that doesn't match it is gonna be the the first color that didn't produce that incorrect answer right and so this was the one that gave us the password okay moving swiftly on security misconfigurations navigate and try to exploit the security misconfiguration to read the application source code all right fair enough right it was a flask it's a flask application it says so at the top um okay what are all these doing so if I just go to so one thing you can do in flask is if you set things to weird yeah there you go so if you give it a bad reference in this case the number in the URL is going to print out some of the code right so we've got some of the code here unfortunately we haven't got all of the code we've just got some of it however there is also a console I'm guessing we just don't have the flag right uh so if we click on this button console ready really tiburius lovely okay so we uh the debugger is enabled and we can just send uh we can we can just send python to This Server uh so yeah I mean okay can we just do import OS dot system ID um oh yeah we can't do system going um T open was better right P open Dot read we figured this out the other day there we go oh look we're root uh yeah we could probably get a reverse shell so we we might as well do that um let's grab that IP address five minutes later uh net cap this already uses bin sh so this should be fine okay I still believe I have to put it within this Dash C though so I think that should be okay hooray got there in the end all right what do we have to do here pretty sure we just have to modify the code to read the content I mean we could just we don't need to do that we have a shell now we can just do anything uh file to dot DB okay file isn't there uh cat to do DB cool I guess all right what was just to do DB uh what is the value of secret flag we can just use grep I imagine in app.pi there we go okay that one took longer than it should have but we got there all right vulnerable and outdated components foreign this is just WordPress I guess it says no okay all right that's okay here's the lab find a vulnerable application okay easy easy easy questions by the way let me know wait a minute wait a minute hang on if I'm correct if I'm correct I think I think it's super smart person wrote the exploit for this I'm pretty sure um let's just Google bookstore in in exploitdb um is it just book store online books I think this is it I think I think I think a really uh really intelligent person wrote this one um I mean let's see if it works never know it might it might not work chat um search split there's no X well yeah unfortunately Tiberius was taken in a lot of places for some reason I'm gonna copy this uh okay I mean that's just looks like it's a nicely made python script so let's just run it and see what we we get okay the uh URL of the target and let's just let's see what happens uh yeah oh his code works so well and look at that it even does it even do you wished a lot do you wish to launch a shirt this is basically not really a shell so the way this works I just I felt like since I was submitting it to exploitdb it should be like pretty well made so basically what it does it's an upload it's a file upload vulnerability unauthenticated to the admin um thing so what it does is it just randomly generates some PHP upload file so it just you see this this is the exploit code shall exec so it generates a random file name you can actually see it here um and then it uploads it it tests to see if it uploads because it does who am I oh no wait it doesn't do that sorry it um it echoes that's the way it echoes um itself I think yeah no sorry it echoes the string right it generates a random string uses that as part of the file name and then to confirm that the file upload worked it tries to Echo that name and then it searches for it in the text right okay here's here's the cool thing though so it basically says hey do you want to launch a shell and all it does is it goes into a wild true Loop um where it basically asks for a command if the command is exit it exits but otherwise it just sends a get request and prints out the text Mr streamer it's really good um all right I mean this how can I not upload this room now it uses literally one of my exploits uh what's the contents of the opt flag txt files oops cats so what I wanted to do oh flag.txt in that cool you don't see how this person is smart I mean they got an exploit published on exploit DB gives you an instant shell now no no messing around with rev shells just an instant RCU this look this is a shell probably just do uh yeah see we're in sh it Michelle set no you do EMV probably though we're in a shell look like there's a nice girl password though manicus Mac Maximus all right screw this um logic within the authentication mechanism all right here we go all right what the oh Jesus attacking authentications room will focus on teaching the basics of attacking authentication systems uh try register with Darren um there's an existing user with name admin oh this is okay so if we just try users already registered yeah this is a relatively common one so if we do Darren with a space okay yeah so basically I just put a space when I registered it as Darren and it's it allowed us to register uh but then when I logged in um basically it's part of a login it strips the space out and just logs as soon as regular down do the same trick and see if you can log in as Arthur all right uh register Arthur space Martha and Arthur and password okay little white gots to do it twice but okay boring what's the short hash of this wait a minute does it mean the shot hash of this string or the hash of this I mean it's asking me for the Char one hash with just this string I'm gonna give it what it wants or rather what it's asking for short short two five six sorry uh shot 256 son yeah no all right well we can easily do this we can just download it even then we can just do shot 256 um on jQuery presumably this is what they wanted uh the answer is incorrect go to srihash oh it wants oh okay well that's not what it that's not what it asked for then sha256 here we go this is what it wants I'm guessing yep yeah so she has slightly different but to be fair it did ask for the Char 256. okay data Integrity failures navigate to this foreign okay I guess admin admin you can also log in as guests with a password of guest well thank you uh what get the admin only the admin user is allowed to get a flag okay it sends to repeater okay we have a JWT just change our username to admin in the JWT make sure you trim off these encoded things uh tokenary signature is invalid all right so let's try setting the algorithm to none again you need to trim off this percentage 3D and since the algorithm is none we just have to trim that off boom super simple JWT um not so common to see that kind of attack before what was the name of the website or I mean screw it just do this website cookie uh it's JWT session I guess okay done what else task files all right okay for some reason there's and we'll do that um okay easy enough that's the IP address that you think because there's all unauthorized what kind of attack is being carried out Brute Force all right that was easy enough server side request forgery copy link does inspector automatically pass jwts yeah it does what is happening here okay go away yes if you select um I mean this is just b64 um this is just base64 encoded so there's nothing Magic it's just base64. all right download resume um [Music] uh why is that not oh because binary content stupid binary content over here okay foreign the admin area admin interface only available from localhost okay nice so we can presumably just go localhost slash admin thank you for following um can I just do that no file selected interesting is it just happening nope but we got a nice error message that's fun uh uh copy URL okay so it takes the also converts the file ID to an integer okay so it does require an integer unfortunately but presumably you have the server so it's just plusing the server here which means we could presumably just do something like admin so I'm gonna go back a equals just encode that no I guess not uh does this require us to be maybe this okay maybe just say she wants this URL here uh another thing we could do is foreign yeah I try I mean I tried doing I did localhost I thought so here's the issue we go to this so here's the code so it takes a file ID from ID takes the server it's a 5D is not equal to that it will generate a file name um so yeah it should just I should be able to put a server in here and then do a basically it's this line we can abuse like we can set the server to anything so if I set server to http 1270 1 admin right it's going to append this so do happen like that right and then it's going to have some some number one two three four dot pedia if I if I if I do this that should be fine uh that's just the type of URL so this is just curl I believe it's just saying this is the URL to use oh maybe I need the HTTP maybe that's what oh here we go one connect oh here we go okay it's working now so if I do 8087 weird is this actually hang on is this working maybe this is actually working I'm not actually viewing the it is it works okay it was working the entire time it's just returning it as a PDF all right uh I guess localhost click the download you won't need the flag to progress in this room okay I got the flag I wasn't supposed to get the flag what uh download resume it went to true server parameter pointed to this yeah I'm guessing I'm just I'm just I'm just too late for this site come on what let's do that I mean that's not correct the server parameter clearly pointed to this so the answer is wrong um using SSRI I've make the applications and the request your attack box instead of okay all right fine so we had to do it the boring way okay so instead of this I'm just gonna I'm just gonna tell it to use 10 13 1 1 2 4 4 4 4 4. and then we're gonna see what I have oh look there's the the fake flag I mean I got literally I got the why would you not just make this the um the Freaking Flag it was the much it was more fun what's next all right we're done excellent overall good room any questions about any of that on the screen are my socials please follow me on Twitter join the Discord server subscribe to my YouTube channel and of course follow me on Twitch to get alerted when I go live you can also find all these links in the video description
Info
Channel: Tib3rius
Views: 8,478
Rating: undefined out of 5
Keywords:
Id: M9JDQtR16Ls
Channel Id: undefined
Length: 60min 58sec (3658 seconds)
Published: Thu May 04 2023
Related Videos
OWASP Top 10 2021 - The List and How You Should Use It
Cyber Citadel
63K
Portswigger Web Academy - HTTP Request Smuggling - Explanation & Lab Walkthrough
Tib3rius
2.8K
Try Hack Me - OWASP Juice Shop
Silesio Carvalho
7.3K
Stack Based Buffer Overflow Prep
Tib3rius
21K
Lab: HTTP request smuggling, basic TE.CL vulnerability
Jarno Timmermans
3.2K
Sam Altman Just REVEALED key details About GPT-5... (GPT-5 Robot, AGI + More)
TheAIGRID
167K
Hacker101 CTF - Micro-CMS v2 (Medium) - Live Walkthrough
Tib3rius
4.2K
Projects Every Programmer Should Try
ThePrimeTime
64K
Windows Pentest Tutorial (Active Directory Game Over!)
David Bombal
207K
Bug Bounty Changed My Life!
NahamSec
22K
The best Hacking Courses & Certs (not all these)? Your roadmap to Pentester success.
David Bombal
254K
Bug Bounty Hunting for IDORs and Access Control Violations | Part I
rs0n_live
10K
TryHackMe! PickleRick - BYPASSING Denylists
John Hammond
265K
TryHackMe! Upload Vulnerabilities - File Upload Vulnerabilities & Exploit - Complete walkthrough
Security in mind
10K
TryHackMe! Finding Computer Artifacts with osquery
John Hammond
25K
React's Magic Compiler You Can't Use (Yet)
Theo - t3․gg
46K
How To Get Arrested In 30 Minutes: Cracking A GSM Capture File In Real-time With AIRPROBE And KRAKEN
Rob VK8FOES
979K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.