hacker101-ctf

Hacker101 CTF: Micro-CMS v1 Writeup

A great place to start off Hacker101 CTF challanges. Explore and learn about XSS and SQLI.

1. Exploration

Landing page shows two files. Looks like we are going to deal with markdown. landing page where we see the list of pages

Creating new page allows us to put in title and some content. page that creates markdown pages

Fact: markdown supports html. This means we can try all sorts of XSS attacks. testing out markdown stuff Script tag doesn’t work.

2. Enumeration

┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 'php,html,txt' -t 32 -q -u http://35.190.155.168/46a90aa06a/page/
/10                   (Status: 200) [Size: 309]
/11                   (Status: 200) [Size: 213]
/1                    (Status: 200) [Size: 239]
/01                   (Status: 200) [Size: 239]
/2                    (Status: 200) [Size: 433]
/07                   (Status: 403) [Size: 234]

10 & 11 are pages I created for funsies, and 1 & 2 were there already. 7 looks off.

The page itself is forbidden, as it shows status 403. We observe: /page/edit/1 is the path for editing the page. This means we can try editing the page 7. editing the page 7 and we get a flag!

3. XSS

I was playing around with XSS and I realised that the image tag should work - because one sample page had it. Trying out <image src=1 href=1 onerror="javascript:alert(1)"></image> works!

Check the source code again for the flag. Try the same in the title, and get another flag!

4. SQLI

The attack - /page/1' does not work. /page/edit/1' works! We thus get the final flag.

© 2020 - 2021 Tanishq Chaudhary
Built with Hugo
Theme Stack designed by Jimmy