TryHackMe: OWASP TOP 10

1: Injection

Hola gente 👋!! Naman this side. Hope you all are doin great :)

So this blog is all about the OWASP TOP 10 room of TryHackMe. This is a kinda walk-through blog & I’ll be continuing this in series wise ^^

NOTE: I’ll not be explaining the whole OWASP TOP 10, instead I’ll be giving hints of the question that are answerable (not answering if answer is not required) and also providing the answer at last. But first try to solve by hint.

Also try to avoid grammar and typos, So without further ado, Let’s exploit!!

Start the machine & access the web content (http://<ip>/evilshell.php/)

You will get something like this ☝️

So coming to Questions-

Q1) What strange text file is in the website root directory?

ls

Q2) How many non-root/non-service/non-daemon users are there?

cat /etc/passwd

Q3) What user is this app running as?

whoami

Q4) What is the user’s shell set as?

cat /etc/passed

Q5) What version of Ubuntu is running?

cat etc/os-release

Q6) Print out the MOTD. What favourite beverage is shown?

cat /etc/update-motd.d/00-header

So hope you tried by your self. If not than what are you waiting for & if yes, Than congrats.

And for those who are struck or simply wanna copy & paste, Here you go ;p

A1. drpepper.txt
A2. 0
A3. www-data
A4. /usr/sbin/nologin
A5. 18.04.4
A6. DR PEPPER

So that’s all for this blog. See you in the PART 2