DEV Community

Asher Mathews Shaji
Asher Mathews Shaji

Posted on

Hacker101 CTF Micro-CMS v1 Writeup

Challenge Link : https://ctf.hacker101.com/ctf

Flag0

let us look at the challenge Micro-CMS v1

it is an easy challenge and we want to find 4 Flags

So lets dive in

on the entry page 2 pages named testing and markdown

and we can also create a new page.

So lets go to the first page named testing

nothing special here.

lets check out Markdown test

nothing special here.

lets try creating a new page

lets name the page

lets write any content

BUT!!

When we look at the url

the first page is numbered 1

next page is numbered 2

but when we open the next page we can see that it is numbered 6

so let us try to access the 3,4,5 pages

when we try to access it we can see that

when we access the 3rd page it says that it is not found on the server

similar story on the 5th page but when we try to access the 4th page we get a different response

it says that the 4th page is forbidden but it is present in the server

so the fourth page may contain a flag.

now we have to figure out a way to access the 4th page.

we can see that every page has a button for editing the page

when we click at the edit button

the url of the edit page has an "edit" tag in the url

so by adding an edit in the url we can edit any page

since we want to access the 4th page lets try to edit the 4th page lets add an edit to the url

YES we can edit the fourth page and here is the flag..

Flag1

For this one the the hint was like

  • Make sure you tamper with every input
  • Have you tested for the usual culprits? XSS, SQL injection, path injection

so I tested the usual things such a XSS and SQL injection. When i was playing with the edit URL

I found out that it was excepting a number at the

so I tried to break the query by simply putting a ' in place of a number

the page that loaded contained the flag.

Flag2

for this one the hint was like

  • Sometimes a given input will affect more than one page
  • The bug you are looking for doesn't exist in the most obvious place this input is shown

from it we can understand that the flag has something to do with input

so as a first step I looked for XSS

the First page that we can enter user input was the create a new page form

I tried to inject an alert() function into the page but the alert doesnt pop up

when we look at the source we can see that the script tag has been replaced by

tag that means it was checking for XSS(Cross Side Scripting).

but when we go back home Suddenly an alert pops up revealing the flag.

I didn't fully understand how this happened

But my assumption is that the content of the pages get loaded when we go back to the home page

Flag3

For this one the hints where like

Script tags are great, but what other options do you have?

so it must be refering to other ways of injecting javascript into the page

one of the other ways of injecting javascript into you page is by using button elements

I noticed that only tags get replaced so i created a button in the description of a page </p> <p>and on the &quot;onclick&quot; attribute (onclick is an HTML attribute in which we can pass some javascript code which gets executed when the button is clicked)</p> <p>I tried to pop and alert.. it did pop an alert but the flag was not found..</p> <p>but then i added flag property to the Button element and kept it empty and </p> <p>i saved the page</p> <p>BUT!! when i looked at the source of the page the content of the flag property was not empty</p> <p>it was replaced with the flag</p> <p>This shows us the amazing advantages of values that already exist but lacks the correct placeholder to contain it.</p> <p>Eventhough it was an easy CTF i learned a lot from this..</p>

Top comments (2)

Collapse
 
kite10010 profile image
kite10010

I really liked the flag3 very detailed one thank you.

Collapse
 
asherms profile image
Asher Mathews Shaji

Thank You😊