Hacker101 CTF is based on Web, Crypto and Android platforms. The challenges are good for the beginners, some of the basics are covered through these CTF. I will be discussing “A little something to get you started”, “Micro-CMS v1” and “Micro-CMS v2” in this post.
Check out my post on Bugcrowd’s CTF writeup here: http://www.anonhack.in/2020/08/bugcrowds-levelupctf-0x07-walkthrough/
1. A little something to get you started
Once you open the link for this challenge, you will be presented with the below page:
On checking the Source code for this page, Right Click –> View Source, It will give you “background.png”.
Once you visit the background.png, there you will find your first flag:
2 – MicroCMS V1
This particular level has 4 flags. Starting from LFI to XSS. The levels are pretty easy to crack.
Flag – 1:
Below page will be seen once you enter this challenge:
For the very first flag, I checked the XSS in one of the pages, so you can create a new page or you can edit anyone of the above pages. I edited the Markdown Test page, in order to get the very first flag.
Here when you click on edit page and inject a basic XSS it will give out the first flag. I used the below XSS: ‘<img src=”something.com” onerror=”alert(3)” />’
Here is the flag.
Flag – 2
For second flag, I checked the hints, It says to check the index numbers of the pages, So I did.
–>http://126.96.36.199/d01dccdf66/page/1 —>very first page 200 OK
–>http://188.8.131.52/d01dccdf66/page/2 —>again another post 200 OK
–>http://184.108.40.206/d01dccdf66/page/5 —> Forbidden
So, now we know that we want to check the forbidden page for the next flag. Again, the level is easy as there is no cookies or the login information, I thought to just edit this page like the rest of the pages and there is our second flag.
Flag – 3:
To get the 3rd flag, the technique is similar to the first flag of MicroCMS v1 but now you have to inject XSS in the title of the post.
I injected the same <img> tag XSS in the title. and below you can see we have the flag on the entire CMS.
Flag – 4:
I checked the hint again for this because I thought I ran out of every possible way. The hint mentioned below line:
- Have you tested for the usual culprits? XSS, SQL injection, path injection
This line got me thinking if we can add a little quote (‘) at the end of pages above.
This gave me the flag to complete this level:
3. MicroCMS v2 :
Flag -1 :
This CMS is similar to v1, the only difference here now is we need to give username and password for editing the post.
So now if I edit the page, I am provided with this login panel:
After several tries and checking the hint, it says it requires a “union”, I used the below query to bypass:
username = admin ‘union select ‘123’ as Password#
password = 123
What this query actually does is create a dummy entry in the current table in mysql “admins” table here with password entry 123, which then check the password value we gave with the dummy value, now obviously it will came out to be same and hence we are through. We are using # sign here as comment, because # is used in mysql, “–” is sql comment and in this case it wasn’t working.
After your are in, on the “Private Page” you will find your first flag:
Flag – 2 :
The Hint for the next flag was this:
- Different requests often have different required authorization
- Just because request fails with one method doesn’t mean it will fail with a different method
I fired up Burpsuite for this and with a lot of different parameter change. We will get the second flag, If we remove the Cookie parameter in the edit page header. No CSRF token is given with the form to cross check the request and hence we get the flag when we make that request.
Flag – 3 :
The hint for this flag says :
- Credentials are secret, flags are secret. Coincidence?
The hint is straight, I fired up Sqlmap to get the flag for this level. We need to get the actual credentials for this and then login with those credentials to get in.
After login with above credentials, here is your flag:
For more details on SQLInjection with Base64 strings, check here: http://www.anonhack.in/2018/10/sql-injection-on-base64-encoded-string-parameters/