TryHackMe WebAppSec101 Write-up

Hi, this is a beginner write-up for the room WebAppSec101 which is created by ashu on TryHackMe platform.

Link to the room on TryHackMe: https://tryhackme.com/room/webappsec101

TASK1: Basic Description & Objectives

Just read and press complete.

TASK2: Walking Through the Application

First of all, nmap.

nmap -T4 -sC -sV <MACHINE-IP>

We can see from the result, there are three ports.

Question 1: Version of Apache.
2.4.7

Question 2: Language used.
php

For question 3, we can use the command curl to get the version of the language used.

curl -I <MACHINE-IP>

Question 3: Version of the language.
5.5.9

TASK 3: Establishing a Methodology

There is nothing to be done and just read through and we are going to the next task.

TASK 4: Authentication

In this task, the creator state authentication could be tested by using two ways: Brute Force/Weak Credentials or Session Management.

But first, let’s go to the site.

Go to the Admin button below.

Try some common usernames and passwords.

admin:admin

Yes! It works! And we are directed to this page. Which also gives us the answer for Question 1 and Question 2.

The third question asked about the name of the cookie that can be manipulated. So, go Inspect Elements -> storage. And we will see the cookie named session.

Question 4: Name of cookie that can be manipulated.
session

Now logout, and press “Check out a sample user!”.

We can see the userid=1 at the URL. And we can try to change it.

2 is bob.

4 is scanner1. (5 is scanner2, 6 is scanner3, 7 is scanner4 and 8 is scanner5)

5 is scanner 2.

9 is wanda.

10 is calvinwatters.

11 is bryce.

For question 4, bryce is used as the answer.

And for the password, yes, you guessed it, bryce again. And here we logged in as bryce.

TASK 5: Cross Site Scripting (XXS)

So we need to write some code into the specified place to show the vulnerabilities.

I use the most basic alert script.

<script> alert(“HELLO”) </script>

First, search bar.

Second, at the guestbook.

Third, the home page.

Yes, we are done!

TASK 6: Injection

We can use certain codes to perform injections. The unsanitized input will be processed by the system.

Question 1:
As for me, ill use:

‘ OR 1=1 — <space>-

And the result is:

Question 2:
Again same code.

Result is:

TASK 7: Miscellaneous & Logic Flaws

Question 1: Parameter manipulation

Now, we are on picid=15.

After changes to picid=11, we are able to look into other photos.

Question 2: Directory Traversal

First, go to /pictures/upload.php.

Now, we change the file to .PHP files and it still able to upload to the root folder.

Result:

I can access and run the reverse shell and get a connection using Netcat.

Question 3: Forceful Browsing

Go get a picture and add to cart.

Then, Continue to confirmation.

Finally, Press on the link.

Question 4: Try and get a free item.

Now, the last question.

So, to get a discount code, we can go to “What is going on today?” on the home page.

After loading the page, it will state that there is nothing. But press “What about tomorrow?” and we can find this.

Next, go back to the recent and add to the cart page to place the discount code.

But, we can keep on adding the same discount code for an extra 10% discount! (which stacks diminishingly)

Keep on add until the price is low and near to 0 and we are done!

Thank you for finishing this write-up.

Thanks to TryHackMe platform for providing such a place for us to learn to hack and to the creator, ashu for creating such a good room for us to learn from.

For other room’s write-ups, please go to my profile and have a look. Thank you!

Any suggestion or improvement and be commented on here.

Any vouchers are appreciated too!!! XD