Try Hack Me: OWASP Top 10 Room Day 3 of 10

This is a FREE (meaning you don’t have to pay for subscription, just create an account) room on Try Hack Me that contains challenges with a goal to teach one of the OWASP vulnerabilities everyday for 10 days in a row. The challenges are:

Day 1: Injection

Day 2: Broken Authentication

Day 3: Sensitive Data Exposure

Day 4: XML External Entity

Day 5: Broken Access Control

Day 6: Security Misconfiguration

Day 7: Cross-site Scripting

Day 8: Insecure Deserialization

Day 9: Components with Known Vulnerabilities

Day 10: Insufficient Logging & Monitoring

I am already working on “Day 3: Sensitive Data Exposure” so I will be starting my write-up with this. I blurred the answers so you will have to do the steps yourself to reveal them.

Below are the challenge questions: (I was assigned a web server IP of 10.10.141.24. Check your assigned IP address, yours will be different from mine)

This is the homepage.

1. Have a look around the webapp. The developer has left themselves a note indication that there is sensitive data in a specific directory What is the name of the mentioned directory?

• Check each “Page Source”

Home page source code doesn’t contain anything interesting

Login page source code contains the directory we are looking for

2. Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

• Plugin the directory you found in the url bar

The file that contains sensitive data in the directory we found in question one

3. Use the supporting material to access the sensitive data. What is the password hash of the admin user?

• Query the flat-file database that we found in question 2

a. First, let’s check what database service was used on the file we found by using the command “File <filename>”

The file was last written using SQLite. It means the database we found is an SQLite database

b. Let us access the database file using the command “sqlite3 <filename>”

c. Query what tables are in the database by using the command “.tables”

We see two tables: “sessions” and the other table is what we need

d. We have to look at the table information so we know how to read the data after we dump them from the table. We can use the command “”PRAGMA table_info(<table name>);”

This tells us that the columns in the table are as follows: “userID”, “username”, and “password”

e. Now, we have to dump the data from the table by using the command “SELECT * FROM <table name>;”

We can see the hashed passwords dumped from the table we found in Step 3.c

4. Crack the hash. What is the admin’s plaintext password?

• Let’s use the recommended material for this room to crack the password hash using “Crackstation”

I entered the hash I found in Step 3.e and checked the captcha

Cracked user “admin” password

5. Login as the admin. What is the flag?

• Login through the login page to retrieve the flag

Login page

Got the FLAG!!!!!

Thank you for reading. Hope someone found this helpful. Look out for the Day 4 tasks tomorrow.