Hacker101 Micro-CMS v1 CTF Walkthrough

Mohammadaassif
3 min readMar 30, 2022

My first CTF will involve a hacker101 set of provided CTFs, Micro-CMS v1. The CTF is located here: https://ctf.hacker101.com/ctf. It is an easy CTF to solve hence would be a good starting point for a beginner.

Flag0: Stored XSS

Opening Micro-CMS v1, I get three:

I first visit the ‘create a new page’ link. When I create a new page, the details of the new page are reflected in the response. This is a good indication that the website might be vulnerable to XSS (Cross-site scripting). I test for XSS by editing the page title with this payload:

hello<script>alert(1);</script>

Going back home, the payload executes and I get the first flag. 😊

Flag1: Unauthorized Access

When I created my first page, I observed that it was assigned an id of 8

When I visit the two pages provided before, I observe that the pages have an id of 1 and 2. So I try to retrieve pages between 2 and 8. Page 5 responds with a 403 forbidden error while others respond with 404.

I poke around the system to look for other areas the page id is present and observe that the page id is also used when retrieving a page for editing.

I switch the page id to 5, refresh the page and get the third flag:

Flag2: SQLi

When editing a page, I notice that the page id is passed in the URL. I test this parameter for SQL injection by placing a ‘ (single quote) at the end of the id parameter and I get the second flag:

Flag3: Stored XSS

Since the input is reflected in the page, I have to find a way to bypass the markdown filter to execute XSS. After searching and trying different payloads, I come across this payload:

<button onclick=alert(‘xss’)>click</button>

The payload executes successfully but there is no flag displayed.

Viewing the source code, I find the flag:

Thank you for reading. If you enjoyed this article.

--

--