This is a part of a series I’m doing for the Hacker101 CTF’s.
This post will focus on the latest CTF, named “Y2FuIHlvdSByZWNvbj8/“. This has 3 flags, and is rated as “Moderate”.
Hacker101 CTF: PostBook
This is a part of a series I’m doing for the Hacker101 CTF’s.
This post will focus on the seventh CTF, named “Postbook”. This has a whopping 7 flags, and is rated as “Easy”.
Flag 0
This site has a login page, after signing up (using test:test as my username:pword), I saw that there was a user called “user”, often this is left behind from default configurations, so, I wonder, is that user using a generic password?
Turns out, they are (a password of ‘password’)! Which nets us our first flag!
Flag 1 and 4
This one, I accidently got both at once.
I had a look at the URL during the edit page, and wondered what would happen if i changed it from “2” to “1”, this did 2 things:
Allowed me to EDIT a private post
Allowed me to VIEW a private post
Both of these netting me a flag!
Flag 2
This flag is again a quite interesting one, if you use inspect element to look at how the site formats a POST request for a new post, you would see the following element:<input type="hidden" name="user_id" value="2">
By simply removing the type="hidden" part, we can impersonate another user, for example, the admin!
Upon posting, we get our flag!
Flag 3
This flag is once again trivial, as the clue in hacker101 gives it away: 189 * 5. To get this flag, I simply change the post ID to 945.
Flag 5
This is where things start getting interesting, in a browser, there are things called cookies, in our postbook example, they make it so you don’t have to sign in every new page, this is extremely useful for the user, however, could we exploit this to login as someone else?
First things first, I had to be able to view this cookie, to do that, I downloaded the awesome open-source project Cookie-Quick-Manager, which allows me to edit and view using a browser extension.
This cookie had 2 fields, “session” and “id”. I assumed ID was for user ID (as the rest of the website used this as well), but it was just jumbled garbage at the moment, it didnt just say “2” for my user ID, it said “c81e728d9d4c2f636f067f89cc14862c”. This string of text, i thought, might be a hash of the number 2, so I decided to run it through a hash reverse lookup, and to my surprise, it spat out the number 2, telling me that it was an MD5 hash.
After this, I simply encoded the number “1” in MD5, and edited the cookie.
This gave me my flag, only 1 more to go!
Flag 6
The clue for this one is:Deleting a post seems to take an ID that is not a number. Can you figure out what it is?
First things first, I copied the link to the “delete” page, and inspected it:/index.php?page=delete.php&id=eccbc87e4b5ce2fe28308fd9f2a7baf3
So it’s calling “delete.php” with a parameter “id” which appears to be a hash.
So, once again, I put this hash into a reverse lookup tool (see above), and selected MD5, crossed my fingers, and, it put out “3”, which was the ID of the post I wanted to remove!
So, I decided to try and remove the first ever post by the admin (“Hello world”).
To do so, I just needed to visit this link:/index.php?page=delete.php&id=c4ca4238a0b923820dcc509a6f75849b
And this gives us our flag, as well as deleting the admins post, while being logged in as any user!
Hacker101 CTF: Micro-CMS v2
This is a part of a series I’m doing for the Hacker101 CTF’s.
This post will focus on the second CTF, named “Micro-CMS v2”. This has 3 flags, and is rated as “Moderate”.
This new CTF boasts several improvements upon the v1, and has the following on the changelog page in the CTF:
1 | Version 2 |
Flag 0
Now, editing requires a login, but how can I get into an account without having the login details? Simple, I need a bypass.
To test for an SQL injection vulnerability, I simply wrote a single quote into the username box, hit enter, and got this error:
1 | Traceback (most recent call last): |
Which reveals some nice information:
The server is running on python (specifically 2.7)
It’s using MySQL
It’s using an SQL command that does not sanitize any input
So, to bypass, I first tried just using' OR 1=1;--, which does not work, maybe I should try a union attack?
First I tryfoo' UNION SELECT 'admins', 'dummy';--as my username, changing the SQL query to:
1 | SELECT password FROM admins WHERE username='foo' UNION SELECT 'admin', 'dummy';--' |
Which should work, right?
Nope, it interestingly decides to give me all the feedback I need to fix this however, and it spits out the following error:
1 | The used SELECT statements have a different number of columns |
To fix this, I simply inputed the same thing, but changed the number of dummy fields:
1 | foo' UNION SELECT 'admins', 'dummy', 'dummy', 'dummy';-- |
But it seemed like however many I put in, it still spat out an error, except for when I put ONLY 1 field, “admin”.
This still was not quite it though, and it returned with “Invalid password” (putting another dummy value inside of the password field did nothing here).
Hacker101 CTF: Micro-CMS v1
This is a part of a series I’m doing for the Hacker101 CTF’s.
This first post will focus on the first CTF, named “Micro-CMS v1”. This has 4 flags, and is rated as “Easy”.
Flag 0
This first flag is relitively easy to find, to start off with, I created a page after looking around, and saw that the pages were indexed as such:
1, 2, 10
Which begs the question, where is 3 to 8?
Upon accessing page 6 (by simply typing the url myself), it responds with a 403, which means there is some content on the page, just none I can access. To get to this, I next tried to edit a page, which resolved the URL:http://[example]/[user_string]/page/edit/1
So, what happens if I change the 1 to a 6 here?
Bingo, our first flag!
Flag 1
For our second flag, we get a hint of trying to tamper with every input, so thats just what i did. I decided to insert <script>alert(0)</script> everywhere I could, eventually trying the title of a post, and voilla! Upon going to the home page, the XSS activates, and I get my second flag!
Flag 2
Upon editing a page, it is fairly obvious that some sort of SQL request must be sent to retrieve said pages contents, so I decided to add a single quote to the end of the URL, netting us our third flag with an SQL injection vulnerability!
Flag 3
The edit page has a curious statement on the bottom:
1 | Markdown is supported, but scripts are not |
Which begs the question, what about other HTML tags?
So I test with a simple <h1>Testing</h1>, and it turns out that works, so, is there a way to execute code inside of a html element? Yes, there is!
1 | <button "onclick=alert(0)">Click me!</button> |
aaand, no flag? Curious to see what was going wrong, I took a look using inspect element, and, funnily enough, there was the flag, inside the properties of the button class!
Done
With that, we’ve just completed the first proper CTF!
Linux Aliases
In nearly all Linux distro’s, you can set aliases. I thought I’d share what ones I use at the moment!
1 | alias get="sudo apt-get install" |
In order to make sure this gets enforced every terminal session, I simply add this to my bashrc file:
1 | AliasContents=`cat ./.bash_aliases` |
Hello World!
Hello there!
This is my new cybersecurity blog for general thoughts, as well as writeups for the various CTF’s I do in my spare time. Not every CTF will get a writeup, but some will