This post is a writeup of Micro-CMS v2, a Hacker101 CTF web hacking challenge. The challenge is categorized as Moderate, has three flags and a total of 7 hints is provided:
- Regular users can only see public pages
- Getting admin access might require a more perfect union
- Knowing the password is cool, but there are other approaches that might be easier
- What actions could you perform as a regular user on the last level, which you can’t now?
- Just because request fails with one method doesn’t mean it will fail with a different method
- Different requests often have different required authorization
- Credentials are secret, flags are secret. Coincidence?
Following the provided link leads directly to the main page.
The main page looks quite similar to the main page of Micro-CMS v1. However, this time we cannot simply use the edit functionality to retrieve sites. Instead edit and create require authentication.
Probing the login form via the username field and a MySQL control character results in the following error:
From here, we know that the username field is prone to SQL injection and, furthermore, we can extract the query syntax to perform an adequate injection.
Two different approaches can be chosen next. We will use sqlmap to retrieve information from the database as suggested in the previous writeup. The alternative is to perform an authentication bypass to successfully login and analyse the CMS from there. The sqlmap command to search valid injection payload and dump the databases is as follows:
sqlmap -u “http://[ip]/[id]/login” –data=”username=1&password=2″ –dump
sqlmap identifies several payload options that are valid for further exploitation.
Dumping the table pages provides the content of each site stored in the CMS. One of the sites, named Private Page, contains the flag.
If the alternative path would be followed, the authentication bypass would have led to admin access to the CMS. With admin access the site Private Page, which contains the flag, would be available from within the CMS.
Using the edit function requires a valid login. If the site is requested via GET method, the response is a redirect to the login page.
Changing the request type to POST, circumvents the access protection and results in the flag.
As we already used sqlmap to access the database, we are able to receive each table in the database. A second table (admins) that can be accessed contains valid cleartext credentials for the login page.
Using these credentials on the login form results in the last flag.
If the alternative approach was followed, no credentials would be available to login. In this case, the flag can be obtained by using hyrda, medusa or burpsuite sniper to conduct a brute-force attack against the site. Solid wordlists for such attacks can be found from jeanphorn, SecLists and at /usr/share/wordlists/ on each Kali distribution.