Skip to main content

Security Misconfiguration (Tryhackme)

Linux, Networking & Security are the domains of my interest.

Security misconfiguration can be poorly configured permissions on cloud services.

Security misconfiguration can be poorly configured permissions on cloud services.

Security Misconfiguration

Previously, we performed guessing the full credentials and bruteforcing pages of client profiles before.

Now, we want to take a look at the full credentials vulnerability for an application that is implemented on the web page. So this is not a user account on a webpage that a user sets up. This is something that the server’s owner or the webpage owner sets up once using an application within a web page.

Security misconfiguration includes:

  • Poorly configured permissions on cloud services.
  • Default accounts with unchanged passwords.
  • Error messages that are overly detailed and allow an attacker to find out more about the system.
  • Having unnecessary features enabled like services, pages, accounts, or privileges.

TryHackMe (OWASP TOP 10 [Task 19])

If this is your first time working on TryHackMe and you don’t know how to set it up then, check out the bonus resource section at the end.

Navigate to: https://tryhackme.com/room/owasptop10 → Task 19

security-misconfiguration-tryhackme

It says that it’s an app so let’s find it on google

A GitHub repo (Hmmm…)

security-misconfiguration-tryhackme

In the README we can find the default credential to log in.

security-misconfiguration-tryhackme

Let’s try to log in with that credential.

security-misconfiguration-tryhackme

We have successfully logged in.

security-misconfiguration-tryhackme

Resources

  1. BurpSuite Setup
  2. OWASPBWA vulnerable machine
  3. OWASPBWA VM setup video

1. 30+ Standard Linux Commands for Beginner or Intermediate Users

2. Bug Bounty Hunting With Burp Suite (Intercept, Repeater & Intruder)

3. Broken Access Control (Tryhackme and Owaspbwa)

4. Html Injection (Tryhackme & Owaspbwa)

5. Command Injection (Tryhackme & Owaspbwa)

6. Website Enumeration and Information Gathering [Part 1]

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2022 Ashutosh Singh Patel