Hacker101 Micro-CMS v1 CTF Walkthrough
My first CTF will involve a hacker101 set of provided CTFs, Micro-CMS v1. The CTF is located here: https://ctf.hacker101.com/ctf. It is an easy CTF to solve hence would be a good starting point for a beginner.
Flag0: Stored XSS
Opening Micro-CMS v1, I get three:
I first visit the ‘create a new page’ link. When I create a new page, the details of the new page are reflected in the response. This is a good indication that the website might be vulnerable to XSS (Cross-site scripting). I test for XSS by editing the page title with this payload:
hello<script>alert(1);</script>
Going back home, the payload executes and I get the first flag. 😊
Flag1: Unauthorized Access
When I created my first page, I observed that it was assigned an id of 8
When I visit the two pages provided before, I observe that the pages have an id of 1 and 2. So I try to retrieve pages between 2 and 8. Page 5 responds with a 403 forbidden error while others respond with 404.
I poke around the system to look for other areas the page id is present and observe that the page id is also used when retrieving a page for editing.
I switch the page id to 5, refresh the page and get the third flag:
Flag2: SQLi
When editing a page, I notice that the page id is passed in the URL. I test this parameter for SQL injection by placing a ‘ (single quote) at the end of the id parameter and I get the second flag:
Flag3: Stored XSS
Since the input is reflected in the page, I have to find a way to bypass the markdown filter to execute XSS. After searching and trying different payloads, I come across this payload:
<button onclick=alert(‘xss’)>click</button>
The payload executes successfully but there is no flag displayed.
Viewing the source code, I find the flag:
Thank you for reading. If you enjoyed this article.