Hack The Box: OWASP Top 10



Looking Glass

There are no documents for this challenge, but opening the URL we can see a simple service that seems to ping various servers.

chall glass

The site is titled “rce”, so I guess what we need to find is Remote Code Execution. The response for the site is very slow. But just a simple check for input sanitization reveals that we can inject code into the ip address field:

chall glass

With this, we can enumerate the server (although it’s really slow). After running a couple of ls in various subfolders, we find the flag.


Sanitize

The next one is called sanitize and the site’s title is SQLi.

chall glass

With one of the first trials (by typing admin' -- for both username and password), we get the flag.


Baby auth

This challenge presents us with a login screen where we can first register a user and then login, although not as admin.

chall glass

However, decoding the username reveals that it is simply {"username":"hacker"}. We change it to admin and get the flag.


Baby nginxatsu

Again, we first need to register and then log in. We get to a page where we can configure the web server.

chall glass

Within the “default” config file, we find an interesting comment:

index index.php;
root /www/public;

# We sure hope so that we don't spill any secrets
# within the open directory on /storage

This doesn’t sound like a default setting, so let’s check the /storage folder. (Note: in the first try this simply didn’t load). We get a long list of all files hosted in this folder.

chall glass

And interestingly, we also find a zipped backup file. It contains a sqlite-database file that we can inspect with sqlitebrowser:

chall glass

Within the file, we find a table “users” with three users. The first one carries the name “nginxatsu-adm-01” and the password is hashed. Inspecting it with hashid reveals that the hash-mode is probably MD5 and after cracking it with hashcat, we can log in as administrator and get the flag.


Baby WAFfles order

We get to a site where waffles and ice cream can be ordered. The “order” is sent to the server via a JSON-post request. Since the page is titled “xxe”, let’s try if we can also send XML.

In order to do so, we convert the following JSON-payload:

{"table_num":"123 ","food":"WAFfles"}

to XML using this converter:

<?xml version="1.0" encoding="UTF-8" ?>
<root>
  <table_num>123 </table_num>
  <food>WAFfles</food>
</root>

After changing the Content-Type in Burp to “application/xml”, we can successfully submit the order.

chall glass

Now we can try to exploit it by trying to retrieve files:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>
  <table_num>123</table_num>
  <food>&xxe;</food>
</root>

With this command, we can see the /etc/passwd file, so - it works! But this doesn’t help us yet as we don’t know where the flag actually is. After a long time of searching for some ways to get RCE, I realized that this challenge came with a zip-file and we can see that the flag is contained in the root folder at flag. And with this we can read it.


Baby todo or not todo

This page seems to be a simple todo-list “app” where the user can add todo-items and mark them as completed.

chall glass

For this challenge, we also have the source code provided, so let’s take a look at it. We have a API that gets periodically pulled (as we can see in BURP suite). Also we have several endpoints, such as list/all. The comment already tells everything:

# TODO: There are not view arguments involved, I hope this doesn't break
# the authentication control on the verify_integrity() decorator
@api.route('/list/all/')
def list_all():
  return jsonify(todo.get_all())

By making a GET request to /list/all with the SECRET unchanged, we get the flag.

chall glass


Baby BoneChewerCon

This is super easy. We get to a webpage where we can enter our name. Upon entering, the whole site crashes and we see the Laravel debugger. Within the listed parameters, we find the flag.

chall glass


Full Stack Conf

This one is just as easy, because it already says what we need to do. There is only one field which is open for user input, and we add a little “alert” script and what pops up is the flag.

chall glass


Baby Website Rick


Baby Breaking Grad