Try Hack Me: OWASP Top 10 Toom Day 9 of 10

This is a FREE (meaning you don’t have to pay for subscription, just create an account) room on Try Hack Me that contains challenges with a goal to teach one of the OWASP vulnerabilities everyday for 10 days in a row. The challenges are:

Day 1: Injection

Day 2: Broken Authentication

Day 3: Sensitive Data Exposure

Day 4: XML External Entity

Day 5: Broken Access Control

Day 6: Security Misconfiguration

Day 7: Cross-site Scripting

Day 8: Insecure Deserialization

Day 9: Components with Known Vulnerabilities

Day 10: Insufficient Logging & Monitoring

Today’s challenge is Day 9: Components with Known Vulnerabilities. I blurred the answer so you will have to do the steps yourself to reveal it.

Below is the one challenge question: (I was assigned an IP of 10.10.69.221. Check your assigned IP address, yours will be different from mine).

[Task 31] [Day 9] Question 1: How many characters are in /etc/passwd?

• First, let’s navigate to the website

The homepage

• I looked at the source code and other links on the page to see if I can find a clue as to what program I can use to exploit the site. I couldn’t find anything so I searched for an “online book store” exploit using searchsploit and got the below result:

Results from Searchsploit

• The last one looks promising because I want to get an RCE. Let’s copy the exploit to our home folder by using cp /usr/share/exploitdb/exploits/php/webapps/47887.py .

Copy the exploit to our home directory

• Check if we have the exploit copied and if it is executable

It has been copied and executable

• Let’s check how to run this payload by using the -h argument

As easy as entering the url

• I ran the payload by using python 47887.py http://10.10.69.221 and I was prompted if I want to launch a shell.

• When I chose Yes, I received an error, and this is when you have to understand what the error was. The error message was easy enough to understand and spot. It is a NameError and the name ‘y’ is not defined, and if you look at the line above that it is actually asking for the string y to be enclosed in double quotes.

• Let’s try that again, this time we will enclose the y with double quotes.

Enclosed the y with double quotes

• And now, we got a shell!

Shell

• Let’s see who we are by using whoami

Another error

• Looks like we got the same error when we did not enclose our input in double quotes. Let’s try that again, and if it works, then from now on we will have to wrap our all of our input in double quotation marks

• Now, let’s get the character count of the file /etc/passwd by using wc -c /etc/passwd

We got the answer for [Task 30] [Day 9] Question 1

I am not getting paid by Try Hack Me to say this, but go and sign up for a free account on https://tryhackme.com