OWASP Top 10 — TryHackMe

TryHackMe | OWASP Top 10 (Link)

I decided to do this write up specifically because I felt like it was a ton of information you could get lost in.

First up, Task 5:

The first thing I did was run whoami, to answer the third question.

After that I ran ls -la and found “drpepper.txt,” which was the first answer.

The next question was about users, so I ran getent passwd. Here, you can also get the answer to the user’s shell.

To check which version of Ubuntu was running, I used lsb_release-a.

For the last question, I had to look at a write up myself (thedutchhacker). I came across this website, How to use the motd file to get Linux users to pay attention | Network World, that explained motd a bit better.

Eventually, I used ls /etc/update-motd.d to see what files it had.

The hint said 00-header, so let’s see what’s in it using cat /etc/update-motd.d/00-header.

Voila, we are done.

Task 7:

First thing to do is going to the “register” page. After that do as they say, and try to register as darren.

Now, go back to register, and put a space before darren this time. After entering it, it should take you back to the home page. On the top right, type darren with a space before it and the password you used on the register page.

Now log out of darren and repeat the process for arthur.

Task 11:

First go to the website, then inspect.

Nothing there, so we hit the Login button and look!

Next alter the website url with /assets.

webapp.db looks interesting, so let’s get it by just clicking on it. Change your directory to where the file was saved.

First we use file webapp.db to find the webapp.db is SQLite version 3.36.0. Then we run it with sqlite3.

In order, the commands used are: .tables, PRAGMA table_info(users);, SELECT * FROM users;

We also have the hashes now, and we need to find the admin’s password. Take it to hashes.com and you get your answer.

After that, go back to the login page and login as the admin to get your final flag.

Task 16:

TBC

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store