DEV Community

DaNeil C
DaNeil C

Posted on • Edited on

Hacker101 CTF - Micro-CMS v1

MORE CTFSSSSSS
Recently I've started diving into CTFs and trying my hand at some Bug Bounties. This means that I will need to be writing reports with any bug I find and want to practice. So, here I go.

  • CTF Name: Micro-CMS v1
  • Resource: Hacker101 CTF
  • Difficulty: Easy
  • Number of Flags: 4

Note::: NO, I won't be posting my found FLAGS, but I will be posting the methods I used.


Flag0

  • Hint: Try creating a new page
  • Acquired By: This one was not super straight forward as the hints it gave (I'm only showing 1) were not straight forward as to what I might need to do. By looking at the page counts I found that, for me, page 6 was "forbidden" and not "Not Found". This means that this is a good starting point... but what to do with it? If you look at how other pages are edited or created we can see there is a naming pattern. So, if we apply that to this "Forbidden" page we can edit it and there is the Flag.
  • Thoughts: I actually like that these hints are not straight forward. At first it was a bit annoying but this is showing us how to pay attention and try things within the URL.

Flag1

  • Hint: Make sure you tamper with every input
  • Acquired By: This flag I don't quite understand but I found it by manipulating a "edit" page URL with a single quote (') and then the page that loaded held the flag.
  • Thoughts: The hints lead me to think this would be an alert box but that was not the case. It was more along the lines of path injection as the path was expecting a number but I added a quote to break it.

Flag2

  • Hint: Sometimes a given input will affect more than one page
  • Acquired By: This flag I actually got while trying to get Flag1. I found that I could add an alert to the button that was already in one of the pages and when it was clicked an alert popped up. Nothing super special, but when I navigated to another page another alert box populated and there was my flag.
  • Thoughts:

Flag3

  • Hint: Script tags are great, but what other options do you have?
  • Acquired By: When you edit the page with the button you can add in a flag value. When you inspect the page the flags value has populated in the code.
  • Thoughts: WTF??? I know that I am looking for flags but I wouldn't have thought of adding a flag value to anything to get a flag to populate. This shows an amazing way of taking advantage of values that might be there but not active until a placeholder is available for it. Alt Text

Learned

I feel like I learned a lot from this set as I am still learning the different ways that pages can be manipulated. I don't feel like the last flag is really something super useful but it is still interesting that this is possible.

Happy Hacking

Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Top comments (10)

Collapse
 
paul2t profile image
Paul DE TEMMERMAN

Your solution for Flag2 is not correct.
Hint: The title of a page is not escaped in the home page.
Solution: Set the title of a page to: <
And then go to the Home page. An alert will show up with this flag.

Collapse
 
caffiendkitten profile image
DaNeil C

Hi Paul, It's good to know that there is another approach to this flag. Thanks for showing me another way.

Collapse
 
v2kumar profile image
Vivek Kumar

Can you tell me how did you find this solution E.g How'd you reach to that solution

Collapse
 
paul2t profile image
Paul DE TEMMERMAN

I found it by mistake. I was trying random things and suddenly when I went on the home page, the flag popped up.
I then tried to figure out what caused this flag to appear and found that it was the title of the page. I tried different inputs to see what could make it appear, I found that '<' was the minimal thing I could do.

Thread Thread
 
v2kumar profile image
Vivek Kumar

Thanks

Collapse
 
prajwalmithun profile image
vanquisher

Flag 1 another approach.

You need to do XSS.

       1. You need to go to Create new page.  
       2. Add this <script>alert(100)</script> in both the title and 
          description section, since these are the input entry points,xss should be done in those points. And the number 100 may be any number. 
       3. Click <--go-Home.
Enter fullscreen mode Exit fullscreen mode

Walla!! you get the flag in the pop up

Collapse
 
onyxcode profile image
Dan

Thank you so much! I was stuck on the explanation given for Flag1 :)

Collapse
 
suther profile image
Samuel Suther

Flag 3 has another approach.
You don't need to add that "flag"-Parameter.
You only have to use another way to inject JavaScript in the code but with a script-tag.

For example, I have add an Image and new Image-Tage in an edited page, and add an alert in onclick. Thats solved this 3rd Flag. For you the solution was only the onclick in your button. ;)

Collapse
 
drledesma profile image
Juan Ledesma • Edited

Im recently new to do this and its my first Hacker101 test. You helped me with Flag 1. So I found the answer to Why the Single Quote worked for this flag. Its because of SQL injection here link for more details. Thank you!
netsparker.com/blog/web-security/f...

Collapse
 
caffiendkitten profile image
DaNeil C

Glad I could help with the first flag!
A " Fragmented SQL Injection" is not a phrase I've heard so much. Much grateful for the link to more info.