2️⃣2. Cryptographic Failures

https://owasp.org/Top10/A02_2021-Cryptographic_Failures/

A02 Cryptographic Failures - OWASP Top 10:2021

Description

The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws, e.g., EU's General Data Protection Regulation (GDPR), or regulations, e.g., financial data protection such as PCI Data Security Standard (PCI DSS). For all such data:

• Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, FTP also using TLS upgrades like STARTTLS. External internet traffic is hazardous. Verify all internal traffic, e.g., between load balancers, web servers, or back-end systems.

• Are any old or weak cryptographic algorithms or protocols used either by default or in older code?

• Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing? Are crypto keys checked into source code repositories?

• Is encryption not enforced, e.g., are any HTTP headers (browser) security directives or headers missing?

• Is the received server certificate and the trust chain properly validated?

• Are initialization vectors ignored, reused, or not generated sufficiently secure for the cryptographic mode of operation? Is an insecure mode of operation such as ECB in use? Is encryption used when authenticated encryption is more appropriate?

• Are passwords being used as cryptographic keys in absence of a password base key derivation function?

• Is randomness used for cryptographic purposes that was not designed to meet cryptographic requirements? Even if the correct function is chosen, does it need to be seeded by the developer, and if not, has the developer over-written the strong seeding functionality built into it with a seed that lacks sufficient entropy/unpredictability?

• Are deprecated hash functions such as MD5 or SHA1 in use, or are non-cryptographic hash functions used when cryptographic hash functions are needed?

• Are deprecated cryptographic padding methods such as PKCS number 1 v1.5 in use?

• Are cryptographic error messages or side channel information exploitable, for example in the form of padding oracle attacks?

THM Lab

Task 8 - Cryptographic Failures (Challenge)

Have a look around the web app. The developer has left themselves a note indicating that there is sensitive data in a specific directory.

8.1 - What is the name of the mentioned directory?

Go to the page indicated on THM: <URL>:81

We see that there's a Login page on the right-up

The last credentials doesn't work, than searching on the source code we find an interesting comment:

/assets

8.2 - Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

Go there: http://bank.thm:81/assets/

We see webapp.db a SQLite DB

webapp.db

8.3 - Use the supporting material to access the sensitive data. What is the password hash of the admin user?

Exploring db data, we can see password hash of the admin:

6eea9b7ef19179a06954edd0f6c05ceb

8.4 - Crack the hash. What is the admin's plaintext password?

We can crack admin's password hash using crackstation website

qwertyuiop

8.5 - Log in as the admin. What is the flag?

Very good, now we can login into admin account using login function, and obtained the flag:

Flag Task 8.5

THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}