Try Hack Me: OWASP Top 10 Toom Day 9 of 10
This is a FREE (meaning you don’t have to pay for subscription, just create an account) room on Try Hack Me that contains challenges with a goal to teach one of the OWASP vulnerabilities everyday for 10 days in a row. The challenges are:
Day 1: Injection
Day 2: Broken Authentication
Day 3: Sensitive Data Exposure
Day 4: XML External Entity
Day 5: Broken Access Control
Day 6: Security Misconfiguration
Day 7: Cross-site Scripting
Day 8: Insecure Deserialization
Day 9: Components with Known Vulnerabilities
Day 10: Insufficient Logging & Monitoring
Today’s challenge is Day 9: Components with Known Vulnerabilities. I blurred the answer so you will have to do the steps yourself to reveal it.
Below is the one challenge question: (I was assigned an IP of 10.10.69.221. Check your assigned IP address, yours will be different from mine).
[Task 31] [Day 9] Question 1: How many characters are in /etc/passwd?
- First, let’s navigate to the website
- I looked at the source code and other links on the page to see if I can find a clue as to what program I can use to exploit the site. I couldn’t find anything so I searched for an “online book store” exploit using searchsploit and got the below result:
- The last one looks promising because I want to get an RCE. Let’s copy the exploit to our home folder by using cp /usr/share/exploitdb/exploits/php/webapps/47887.py .
- Check if we have the exploit copied and if it is executable
- Let’s check how to run this payload by using the -h argument
- I ran the payload by using python 47887.py http://10.10.69.221 and I was prompted if I want to launch a shell.
- When I chose Yes, I received an error, and this is when you have to understand what the error was. The error message was easy enough to understand and spot. It is a NameError and the name ‘y’ is not defined, and if you look at the line above that it is actually asking for the string y to be enclosed in double quotes.
- Let’s try that again, this time we will enclose the y with double quotes.
- And now, we got a shell!
- Let’s see who we are by using whoami
- Looks like we got the same error when we did not enclose our input in double quotes. Let’s try that again, and if it works, then from now on we will have to wrap our all of our input in double quotation marks
- Now, let’s get the character count of the file /etc/passwd by using wc -c /etc/passwd
I am not getting paid by Try Hack Me to say this, but go and sign up for a free account on https://tryhackme.com