This post is a writeup of Micro-CMS v1, a Hacker101 CTF web hacking challenge. The challenge is categorized as Easy, has four flags and a total of 12 hints is provided:
- Try creating a new page
- How are pages indexed?
- Look at the sequence of IDs
- If the front door doesn’t open, try the window
- In what ways can you retrieve page contents?
- Make sure you tamper with every input
- Have you tested for the usual culprits? XSS, SQL injection, path injection
- Bugs often occur when an input should always be one type and turns out to be another
- Remember, form submissions aren’t the only inputs that come from browsers
- Sometimes a given input will affect more than one page
- The bug you are looking for doesn’t exist in the most obvious place this input is shown
- Script tags are great, but what other options do you have?
Following the provided link leads directly to the main page.
As it can be seen, there are two sample pages (Testing and Markdown Test) as well as a link to a create a new page functionality. In a first step, the samples are reviewed.
There is not much information on the first sample page, however, there appears to be another functionality to edit existing pages. We keep this in mind and explore the second sample page.
On the second page is also not much information provided. An interesting observation at this point is that the pages appears to be accessed via the following syntax:
The observed (page) numbers are 1 and 2 so far. To further investigate the numbering scheme, a new page is created.
Accessing the page reveals the assigned number.
Interestingly, the assigned number is 10, while the two sample pages are numbered 1 and 2. Enumerating the missing 8 pages, reveals that 7 are not available on the server. However, page number 5 responses with access forbidden.
As we already discovered the edit functionality, we quickly identify the syntax to edit a page as:
And try to access the page via the edit function.
Fortunately, the edit function shown the page that is being edited. This way the first flag can be retrieved.
From our observations, we already know that the provided number is used to read the stored pages from the server. A common initial test for SQL injection vulnerabilities is to add control characters to queries. As these characters vary between different database management systems, a trial and error approach is required without further information. An awesome tool to automate this task is sqlmap.
However, as initial probe, we add the MySQL string termination character ‘ to the two queries we already identified as follows:
The second query results in the flag, indicating that the edit functionality is not only prone to access violations but also to SQL injections.
Flag 2 and 3
In a next step we analyse the input via HTTP form data. There are two potential vectors for injection of malicious content within the create new page functionality: The title and the body.
An initial probe for XSS vulnerabilities with the following payload in the body field is send:
This filter can be evaded by choosing a payload that does not rely on the term script. OWASP provides a good cheatsheet with payloads for filter evasion.
The following payload is chosen for further investigation:
<IMG SRC=/ onerror=”alert(String.fromCharCode(88,83,88))”></img>
To speed up the analyses, the payload is injected in both fields at the same time. Accessing the source code of the edited page after injection results in the first flag.
The second XSS flag can be retrieved by accessing the main page, where the title of each page is listed.