This room breaks each of the OWASP top 10 and includes details on what the vulnerability is, how it occurs and how you can exploit it. You will put the theory into practise by completing supporting challenges. This write up covers Tasks 1–5 of the room.
Fire up a terminal session (Ctrl + Alt + T) and enter firefox http://10.10.119.212/evilshell.php
This will open up a firefox web browser session an take you to the lab page (note THM may change this link in future).
Day 1: Injection
#1 What strange text file is in the website root directory?
Info: The root directory of a Linux based website is /var/www/html. We can try to navigate to a different directory using the ls command if needed. Firstly we’ll check the current directory using the pwd command, which stands for Present Working Directory. Running this command confirms we are in the correct directory so no navigation required.
We’ve made sure we are in the root directory, so we can now look at the contents by running the ls command. There are several files however we are interested in a text based file which ends in a .txt format. Based on the results, we can see the relevant file would be drpepper.txt.
#2 How many non-root/non-service/non-daemon users are there?
Info: To populate a list of all users in a Linux system, you can look in the /etc/passwd file. The /etc/passwd file is used to keep track of every registered user that has access to a system. If we run cat /etc/passwd then this will print all the users.
The cat command allows us to view the contents of a file without opening it as such, we can use the cat command and then count how many non-root/non-service/non-daemon users are there on the system. We can refine the output of the cat command by passing the following command parameter cut -d: -f1 using a pipe ‘|’. The cut command cuts the part of the line, –d is the delimiter at colon“:” and the –f1 specifies field one as the delimited string to print. so the final command is cat /etc/passwd | cut -d: -f1
The refined output states there are 0 usernames who are non root, non service and non daemon.
#3 What user is this app running as?
Info: To find out the name of the current user we can use the whoami command. This command will print the user name associated with the current effective user ID. The output confirms the username is www-data
We could also use the id command as suggested by THM. The id command outputs user id in brackets and other information.
#4 What is the user’s shell set as?
Info: To identify the user’s shell we can use the contents of the /etc/passwd file. This file contains fields which are delimited by colons (:).
We can run the command cat /etc/passwd and review the output. We notice the relevant field which contains the login shell corresponding to the www-data user. We can confirm the users shell is set as usr/sbin/nologin
Another way is to use the following command grep “^$USER” /etc/passwd and update the command to make it relevant, so it would be grep www-data /etc/passwd. This command will then simply specify the exact data we need instead of all users.
#5 What version of Ubuntu is running?
Info: We can use the following command in Linux to find out the OS version lsb_release -a
Instead of printing all of the information provided by the –a switch, you can display the description line only, which shows your Ubuntu version passing the -d switch. It’s also possible to use cat /etc/os-release which will also provide us the information we need. The version is stated as 18.04.4
#6 Print out the MOTD. What favorite beverage is shown?
Info: To understand this question, we need to get to grips with MOTD which is located in the /etc directory. It’s a file which can display a “Message Of The Day”. This was used to send a common message to all users instead of sending an email out.
There are many motd files available, however we want to concentrate on the 00-header file as instructed. This file contains the welcome message to help us answer the question. In order to locate the motd files, we’ll use the conveniently name locate command so enter locate motd
Now that we can see the motd file with the header mentioned. We can view the file using the cat command; cat /etc/update-motd.d/00-header. After reading through the output we will find beverage name embedded in a sentence towards the bottom, which is dr pepper
We’ve now covered tasks 1–5!
I hope you found my article useful and feel free to share, like and comment any feedback.
All image credits to TryHackme.com