DEV Community

Hacker101 CTF - Micro-CMS v2

DaNeil C on October 21, 2019

More and more CTFs!!!! Recently I've started diving into CTFs and trying my hand at some Bug Bounties. This means that I will need to be writing r...
Collapse
 
suther profile image
Samuel Suther

Thank's @DaNail Coulthard for your Articles. I'm also started with Hacker101.
It's a pleasure to read your experiences with the course.

I even stuck on Flag 1, but with a little help from the Community I solved it in Burp Suite.

You can do it as following: Start a Request to the "edit"-Page and send the request to the "repeater". Be aware, that you have no cookies in your firefox from a current or previous login! (⇐ Thats was the Magic-Point for me!... if you have a cookie in your Headers, you got a "Bad Request"-Result).
In RAW or Headers-Tab change GET with POST. Then you got your Flag.

Collapse
 
caffiendkitten profile image
DaNeil C

Hey Samuel.
Thanks for this different approaches to the v1 and v2 flags.
Great to learn more options of way to get flags

Collapse
 
carlosm99 profile image
Carlosm99

Bro I keep having Bad Request-Result even if I clean the cookies.
Can someone please help me.

Thank you in advanced!

Collapse
 
carlosm99 profile image
Carlosm99

I just found the solution it's a bit embarrassing heheh but anyways. When removing the cookies it ask's if you want to remove the cookies of today, hour ago, two hour ago and so on... etc. The option I choose is to remove all.

Collapse
 
matthiaskoch profile image
matthias koch • Edited

Hello! Also a newbe, started today and played with your login hack and did this:

  1. Login with your hack.
  2. take the login entry in burp to the repeater
  3. change Line1 to POST .../page/edit/2
  4. got my second Flag without session cookie ;)
Collapse
 
matthiaskoch profile image
matthias koch

and get the third Flag with your SQL Code. The first one for Username and the second for password.
I don't understand how it works, but maybe later..

Collapse
 
antonjiang profile image
Anton

Hi DaNeil,
I started doing CTFs yesterday, complete noob. Learned a lot from ur post. I did some research and learned SQL basics, some double SQL injection techniques. I think ur FLAG 2 worked like this: its an Error Based SQL injection. The intention is to produce some error that will leak information about the database, the count(), floor(rand()*2) a ... group by a will produce that KeyError because the interaction between group by(aggregation) and count(). Since we can see the error, we could add some information about the database in the concat(), which will become the key and produce KeyError and then gets displayed. The information we wanted simply came from information_schema. Then its basically iteration through the database.

Collapse
 
winterstarr profile image
winterstarr • Edited

I used a different method for Flag 2.

I used comparisons for the username and password substrings and then found them letter by letter.

The main idea is that you can use a comparison in the username and if it is true, you will get one error ("Invalid password") and if it is false you will get another ("unknown user"). So you can keep giving it comparisons and check the error result to find if it is true or not.

For example:

username=' OR 1=1;- -&password=

is true and therefore it passes the username check but fails the password check, resulting in "Invalid password"

But

username=' OR 1=2;- -&password=

is false and therefore fails the username check, resulting in "Unknown user".

So beginning by solving the username, I start with:

username=' OR Ascii(substring(username,1,1)) > 109;- -
password=

(Ascii(substring(n,n)) returns the ascii character code of the nth character in the string)

If the first letter of the username ascii code is greater than 109 (which is the letter m), then the comparison will be true and it will tell me "Invalid password" as the error. Now I can try:

username=' OR Ascii(substring(username,1,1)) > 115;- -
password=

If the character is not greater 115 (the letter s) the comparison will be false and it will give the "Unknown user" error instead. Now I know the the letter is greater than m and not greater than s, therefore it is between n and s.

You continue these comparisons until you find the exact letter. Then you move onto the next character

username=' OR Ascii(substring(username,2,2)) > 109;- -
password=

Now you're checking if the second character is greater than 109 (m).

Once you find a character that equals 0, you know you have hit the end of the string.

You repeat the same process for password:

username=' OR Ascii(substring(password,1,1)) > 109;- -
password=

I used Burp Suite for this to manually do it, but I'm sure you could write a script that did this faster using a binary search for each letter and just checking whether the response has "Invalid password" or "Unknown user" in it.

Collapse
 
danbradster profile image
danbradster

Flag1: I don't have burp so used an easier method. Go to the edit page, leave it open. Open a new tab (same URL), log out. In the edit page, hit save. Done.

That way, you're submitting an edit form without being logged in as admin, but it still works.

Collapse
 
malcolmstill profile image
Malcolm Still

DaNeil,

Thank you for your article, I also didn't like that answer and wanted to come up with something simpler (to me). For that I went with a timing attack.

I've written it up on my blog blog.mstill.dev/0OpkO3J0T8SZgLDI87...

Collapse
 
malcolmstill profile image
Malcolm Still

I rewrote my solution as I realised I don't need to use SLEEP.

See my follow up blog.mstill.dev/Cr1OdO4FTMq1Y7S5WN...

Collapse
 
bharatt13770141 profile image
Bharat_Thapa.php • Edited

on flag 1 what was the hint about? what does it mean by saying "What actions could you perform as a regular user on the last level, which you can't now?"

Collapse
 
caffiendkitten profile image
DaNeil C

I assumed that it was talking about how a regular users can only view pages but an admin can edit them and that is why the flag is on /page/edit/2.

Collapse
 
danbradster profile image
danbradster

It's saying that logged out users should not be able to edit pages, but in fact, if you can simulate the right POST request, it'll still go through, even when logged out.

Collapse
 
__the_watcher profile image
The Watcher

This was so helpful. I just got lost on the last flag. can anyone help me