Try Hack Me: OWASP Top 10 Room Day 6 of 10
This is a FREE (meaning you don’t have to pay for subscription, just create an account) room on Try Hack Me that contains challenges with a goal to teach one of the OWASP vulnerabilities everyday for 10 days in a row. The challenges are:
Day 1: Injection
Day 2: Broken Authentication
Day 3: Sensitive Data Exposure
Day 4: XML External Entity
Day 5: Broken Access Control
Day 6: Security Misconfiguration
Day 7: Cross-site Scripting
Day 8: Insecure Deserialization
Day 9: Components with Known Vulnerabilities
Day 10: Insufficient Logging & Monitoring
Today’s challenge is Day 6: Security Misconfiguration. I blurred the answer so you will have to do the steps yourself to reveal it.
Again, there is only one question for this challenge: (I was assigned an IP of 10.10.138.79. Check your assigned IP address, yours will be different from mine).
- Hack the webapp, and find the flag
I initially fell in the rabbit hole when trying to find the solution for this challenge. As I was reading the information about Security Misconfiguration, my attention was drawn to the part about the DDoS attack in October of 2016. The DDoS was successful in taking down large websites and services because of forgetting to change the default password. So, I thought, the creator of this room talked about the DDoS incident, so the default credentials to hack the web app must be one of the 63 default usernames and passwords that were involved in the attack. I immediately downloaded the usernames and passwords, and used them on both BurpSuite and Hydra to get in, but with no luck. I used the hint button:
Here was my next mistake. As soon as I saw “source code,” I immediately thought of the taking a look at the “View Source Code.” I spent a couple of hours clicking in each link and reviewing what I have missed. Again, no luck.
I stepped away from the computer and watched TV for a little bit. Went back to my computer and looked at the “hint” again. I knew I was misunderstanding the hint. After multiple times of reading the hint, it struck me that it was asking for the “app’s source code” and not the “page code!”
I started my google fu and began doing just general searches, but I wasn’t getting any “pensive notes” related results. And so I limited my search to popular repositories, and I started with Github (I remember many people were wondering why their Github uploads are not showing up in Google searches), so I limited my search within github.com:
And when I clicked on the top entry that Google returned as results, I went to look at the Readme.md because the hint mentioned about “Maybe the documentation gives you default credentials….” Sure enough I found a PensiveNotes default credentials:
And voila!!!!!!!
I am not getting paid by Try Hack Me to say this, but go and sign up for a free account on https://tryhackme.com
