Open in app

Sign in

Write

Sign in

Vulnerabilities 101 — Writeup | TryHackMe

Shakhawat Hossain - 0xShakhawat
6 min readSep 15, 2024

--

Vulnerabilities 101

Introduction

This room is going to introduce you to some resources that are essential when researching vulnerabilities, specifically, you are going to be introduced to:

  • What vulnerabilities are
  • Why they’re worthy of learning about
  • How are vulnerabilities rated
  • Databases for vulnerability research
  • A showcase of how vulnerability research is used on ACKme’s engagement

Introduction to Vulnerabilities

A vulnerability in cybersecurity is defined as a weakness or flaw in the design, implementation or behaviours of a system or application. An attacker can exploit these weaknesses to gain access to unauthorised information or perform unauthorised actions. The term “vulnerability” has many definitions by cybersecurity bodies. However, there is minimal variation between them all.

For example, NIST defines a vulnerability as “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source”.

As a cybersecurity researcher, you will be assessing applications and systems — using vulnerabilities against these targets in day-to-day life, so it is crucial to become familiar with this discovery and exploitation process.

[Question 1] An attacker has been able to upgrade the permissions of their system account from “user” to “administrator”. What type of vulnerability is this?

[Answer] Operating System

[Question 2] You manage to bypass a login panel using cookies to authenticate. What type of vulnerability is this?

[Answer] Application Logic

Scoring Vulnerabilities (CVSS & VPR)

Common Vulnerability Scoring System

First introduced in 2005, the Common Vulnerability Scoring System (or CVSS) is a very popular framework for vulnerability scoring and has three major iterations. As it stands, the current version is CVSSv3.1 (with version 4.0 currently in draft) a score is essentially determined by some of the following factors (but many more):

1. How easy is it to exploit the vulnerability?

2. Do exploits exist for this?

3. How does this vulnerability interfere with the CIA triad?

In fact, there are so many variables that you have to use a calculator to figure out the score using this framework. A vulnerability is given a classification (out of five) depending on the score that is has been assigned. I have put the Qualitative Severity Rating Scale and their score ranges into the table below.

However, CVSS is not a magic bullet. Let’s analyse some of the advantages and disadvantages of CVSS in the table below:

Vulnerability Priority Rating (VPR)

The VPR framework is a much more modern framework in vulnerability management — developed by Tenable, an industry solutions provider for vulnerability management. This framework is considered to be risk-driven; meaning that vulnerabilities are given a score with a heavy focus on the risk a vulnerability poses to the organisation itself, rather than factors such as impact (like with CVSS).

Unlike CVSS, VPR scoring takes into account the relevancy of a vulnerability. For example, no risk is considered regarding a vulnerability if that vulnerability does not apply to the organisation (i.e. they do not use the software that is vulnerable). VPR is also considerably dynamic in its scoring, where the risk that a vulnerability may pose can change almost daily as it ages.

VPR uses a similar scoring range as CVSS, which I have also put into the table below. However, two notable differences are that VPR does not have a “None/Informational” category, and because VPR uses a different scoring method, the same vulnerability will have a different score using VPR than when using CVSS.

Let’s recap some of the advantages and disadvantages of using the VPR framework in the table below.

[Question 1] What year was the first iteration of CVSS published?

[Answer] 2005

[Question 2] If you wanted to assess vulnerability based on the risk it poses to an organisation, what framework would you use?

[Answer] VPR

[Question 3] If you wanted to use a framework that was free and open-source, what framework would that be?

[Answer] CVSS

Vulnerability Databases

Throughout your journey in cybersecurity, you will often come across a magnitude of different applications and services. For example, a CMS whilst they all have the same purpose, often have very different designs and behaviours (and, in turn, potentially different vulnerabilities).

Thankfully for us, there are resources on the internet that keep track of vulnerabilities for all sorts of software, operating systems and more! This room will showcase two databases that we can use to look up existing vulnerabilities for applications discovered in our infosec journey, specifically the following websites:

1. NVD (National Vulnerability Database)

2. Exploit-DB

Before we dive into these two resources, let’s ensure that our understanding of some fundamental key terms is on the same page:

[Question 1] Using NVD, how many CVEs were published in July 2021?

[Answer] 1554

[Question 2] Who is the author of Exploit-DB?

[Answer] OffSec

An Example of Finding a Vulnerability

In this task, I’m going to demonstrate the process of finding one minor vulnerability, coupled with some research of the vulnerability databases leading to a much more valuable vulnerability and exploit ultimately.

Throughout an assessment, you will often combine multiple vulnerabilities to get results. For example, in this task, we will leverage the “Version Disclosure” vulnerability to find out the version of an application. With this version, we can then use Exploit-DB to search for any exploits that work with that specific version.

Applications and software usually have a version number. This information is usually left with good intentions; for example, the author can support multiple versions of the software and the likes. Or sometimes, left unintentionally.

For example, in the screenshot below, we can see that the name and version number of this application is “Apache Tomcat 9.0.17

[Question 1] What type of vulnerability did we use to find the name and version of the application in this example?

[Answer] Version Disclosure

Showcase: Exploiting Ackme’s Application

It is your first week on the job as Jr. Penetration tester at ThePentestingCo. For your first engagement, you are shadowing a Sr. Penetration Tester within the company.

Deploy the site attached to this task and follow the steps that the Sr. Penetration Tester took to exploit a vulnerability against ACKme IT Service’s infrastructure.

Complete the engagement to retrieve a flag.

The application disclosed Version Number: 1.5.2.

Searched with the version number on a Vulnerability/Exploit Database.

[Question 1] Follow along with the showcase of exploiting ACKme’s application to the end to retrieve a flag. What is this flag?

[Answer] THM{ACKME_ENGAGEMENT}

Conclusion

Nice work! We’ve made it to the end. This room has served as an introductory to vulnerability research and some skills and resources this requires, where you have practically applied this knowledge.

Tryhackme Walkthrough
Vulnerability
Info Sec Writeups
Infosec
0xshakhawat

--

--

Shakhawat Hossain - 0xShakhawat
Shakhawat Hossain - 0xShakhawat

Written by Shakhawat Hossain - 0xShakhawat

377 Followers
39 Following

Learning Penetration Testing && Cyber Security

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams