Sensitive Data Exposure⚓︎
Difficulty:
Direct link: TryHackMe - OWASP
Objective⚓︎
Sensitive Data Exposure (1)
Explore the target web application for exposed sensitive data.
- I am only presenting my work to answer the questions associated with this room. I suggest going through the Tasks not covered here to fully understand the concepts being challenged.
Solution⚓︎
Start by spinning up your target machine in Task 8, grab the IP and plug it into the browser of your choice; I am using Chromium in my Kali box.
Task 11.1
What is the name of the mentioned directory?
Looking around, the first thing I do is inspect the page Elements using DevTools. Immediately we can should take note that we have an "assets" endpoint we might be able to target. For now, I make a note of it and continue to explore.
Make a note of endpoints for future enumeration
Not much else to see for this challenge. Moving over to the login there is a comment for us.
Submit the mentioned directory.
Directory
Submit "assets" for this answer.
Task 11.2
Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?
Following the breadcrumbs, navigate to the directory and we see the flat-file mentioned in the reading, which should also be the answer to our next question.
Interesting File
Submit the interresting files' name to answer the question.
This is our target file.
Task 11.3
Use the supporting material to access the sensitive data. What is the password hash of the admin user?
With the file just sitting there, nothing is stopping us from right-click and select "Save link as...". Choose the directory that you are working from.
Download
Watch for a notification that the download was blocked. Tell your browser that the download is safe to proceed.
Once we have it, we can use the same commands from the reading as well as some of our Linux Fu to begin exploring. Navigate to the directory that the file we found was saved in and use the file command to inspect it.
file can be used to determine the type of file. We see the one we found is "SQLite 3.x database"
Since the file is a database flat-file, we will want to explore it further with a database manager. We know the database was written using SQLite, and it is available out-of-the-box on Kali Linux, so we can use the sqlite3 <database.db> command.
Use sqlite3 to manage the database found
The first thing I do when accessing a new database is .schema. This allows me to view the structure of the whole database.
We have two tables; sessions & users
We are looking for the hash of the admin user's password; it looks like the users table is going to have the relevant fields. To check out the whole table use SHOW * FROM users;.
Pay attention to the layout. The userID looks like a hash as well, but we need the password hash
There are 3 accounts listed; admin, Bob, and Alice with a potentially hashed userID and a hashed password.
| userID | username | password | admin |
|---|---|---|---|
| 4413096d9c933359b898b6202288a650 | admin | REDACTED | 1 |
| 23023b67a32488588db1e28579ced7ec | Bob | ad0234829205b9033196ba818f7a872b | 1 |
| 4e8423b514eef575394ff78caed3254d | Alice | 268b38ca7b84f44fa0a6cdc86e6301e0 | 0 |
Admin Hash
Copy and paste the hash from column 3.
Task 11.4
Crack the hash.
What is the admin's plaintext password?
Cracked Hash
The read through told us how to do this, so take the password hash over to CrackStation, paste the answer from Task 11.3, complete the CAPTCHA, and crack the hash.
There are many resources for password cracking, but CrackStation is an ideal online resource.
Task 11.5
Login as the admin. What is the flag?
Log in
This is straightforward. We have a username and password to use at the login page, which shows us a "Welcome, admin" page.
Success!
Wrap Up⚓︎
This exploit was a bit more involved, however it also built off some of the previous knowledge. Lets move on to the next challenge. Read the appropriate tasks and I'll meet you in the challenges for XML External Entity.