DEV Community: ternera

Hacker101 CTF — Micro-CMS v2

ternera — Sat, 13 Jan 2024 21:41:07 +0000

In the Micro-CMS V2 CTF by Hackerone, we are given the following hints for the first flag:

Regular users can only see public pages
Getting admin access might require a more perfect union
This immediately made me think about SQL Injection UNION attacks, which you can learn about here.

I began by checking for some basic SQL Injection vulnerabilities with a

‘

and

admin’

These returned errors, but did not provide any useful information.

I considered opening Burpsuite Intruder and attempting to brute force the username/password combination, but assumed it would be a difficult combination because of the union hint.

I tried a few different payloads, but struggled to blindly guess what the name of the table name was. Eventually, I did some cheating and checked online to see if I could learn the name of the table. I found a writeup saying that the table name was

admins

The final payload I used was:

' UNION SELECT 'pass' AS password FROM admins WHERE '1' = '1

And for the password field:

pass

Submitting that gave me message saying that I was logged in.

Clicking on the link to the Private Page displayed the flag.

The hint for the next flag said: What actions could you perform as a regular user on the last level, which you can’t now?

The “changelog” for page 1 also said: “This version fixed the multitude of security flaws and general functionality bugs that plagued v1. Additionally, we added user authentication; we’re still not sure why we didn’t think about that the first time, but hindsight is 20/20. By default, users need to be an admin to add or edit pages now.”

I used Burpsuite to modify requests and was unable to find an answer that way. Later, I learned that you can send different HTTP request methods using Curl from the command line using the “-X POST” argument. My final command was:

curl -X POST https://7b44997630caaec756ff4da81538e9c9.ctf.hacker101.com/page/edit/1

This immediately gave the second flag.

The hint for the last flag was: Credentials are secret, flags are secret. Coincidence? I ended up using Burpsuite for this flag as well. My plan was to brute force the username and password, hoping it wasn’t too complex. I recalled from doing this in the past that the username and password were first names. In the past, I had used rockyou.txt, but that took quite a while.

This time, I used a wordlist with only first names in hopes that the challenge was still configured that way. I used Burpsuite’s intercept proxy and then sent the request to the intruder.

After configuring positions and uploading my wordlist, I began the attack and found that the username was “betsy”, seeing it had a different length than the rest of the responses.

Trying the username “betsy” with a random password returned an “Invalid password” error, so that showed me that I was on the correct track.

After running the attack for a few more minutes, the password “teresa” also returned a different length.

Using the username “betsy” and password “teresa” authenticated me and immediately returned the flag.

That means this challenge has been completely solved. Be sure to view some of my other Hacker101 CTF writeups!

Hacker101 CTF — Micro-CMS v1

ternera — Sat, 13 Jan 2024 21:38:51 +0000

Upon launching this challenge in the CTF, we are met with three links, labeled: Testing, Markdown Test, and Create a new page.

The first hint suggests to try creating a new page. The new page creation page says that Markdown is supported, but scripts are not.

After creating a new page, I noticed something interesting. It was assigned the number 12. I wondered if I could modify the URL and possibly find some information in pages with other numbers.

Page 7 returned a Forbidden error. That’s interesting.

It looked like the only pages I could access were 1, 2, and 12. 1 and 2 had already been created and 12 was the page that I created. After taking a closer look at the existing pages, I noticed there was an edit button on these pages. I opened the editing page for page 2.

Similar to the “A little something to get you started” challenge, I found that you could change the page number to edit the protected page 7.

This revealed the first flag from this challenge. For the second flag, the only hint given said to tamper with every input. After playing with the text box, I directed my attention back to the URL. Originally, I tried appending ‘1=1 to the URL, but found that simply adding one ‘ at the end of the URL would reveal the second flag.

The next flag was found before some others, but I am putting it here to keep things in order. I wanted to try some Markdown XSS because I noticed that the message “Markdown is supported, but scripts are not” was shown when creating a new page. Unfortunately, I looked over something important here. The body of the text area says it doesn’t support scripts, but the title does not mention anything about it. I found this out accidentally after using the following from the Markdown XSS repo:

<javascript:prompt(document.cookie)>

After saving, this is what I saw on the page:

Clicking the “Go Home” link returned a popup with the flag.

The hint for the final flag says that “Scripts are great, but what other options do you have?” This made me circle back around to my original thought of using some markdown XSS. This didn’t get me anywhere, so I did a quick Google search for “how to add xss to other tags” to see if I could find any articles that would shed some light on the matter. I found this helpful post on Stack Overflow that shows how to modify a div tag to execute a script. I copied and pasted their div tag into the body of the text box.

<div onmouseover="alert(1)" style="position:fixed;left:0;top:0;width:9999px;height:9999px;"></div>

Immediately after creating the page, I was met with a popup with a value of 1.

I didn’t find the flag on the homepage like the previous flag, but instead it was hidden in the source code of the page I created.

That wraps up this CTF challenge, see you in the next one!

Hacker101 CTF — A little something to get you started

ternera — Sat, 13 Jan 2024 21:37:26 +0000

Welcome to my writeup series about the Hacker101 CTF by Hackerone! This challenge is called “A little something to get you started” and it is in the trivial category.

Upon launching this challenge, we are met with the text “Welcome to level 0. Enjoy your stay.”

Checking the page source reveals some CSS that uses a background image called background.png.

<style> body { background-image: url(“background.png”); } </style>

We can manually append /background.png to the URL, which reveals the flag.