My first CTF will involve a hacker101 set of provided CTFs, Micro-CMS v1. The CTF is located here: https://ctf.hacker101.com/ctf. It is an easy CTF to solve hence would be a good starting point for a beginner.
Flag0: Stored XSS
Opening Micro-CMS v1, I get three:
XSS and Authorization
In this session, we'll discuss cross-site scripting, an extremely prevalent vulnerability, along with authorization…
WSTG - Latest
Reflected Cross-site Scripting (XSS) occurs when an attacker injects browser executable code within a single HTTP…
I first visit the ‘create a new page’ link. When I create a new page, the details of the new page are reflected in the response. This is a good indication that the website might be vulnerable to XSS (Cross-site scripting). I test for XSS by editing the page title with this payload:
Going back home, the payload executes and I get the first flag. 😊
Flag1: Unauthorized Access
When I created my first page, I observed that it was assigned an id of 8
When I visit the two pages provided before, I observe that the pages have an id of 1 and 2. So I try to retrieve pages between 2 and 8. Page 5 responds with a 403 forbidden error while others respond with 404.
I poke around the system to look for other areas the page id is present and observe that the page id is also used when retrieving a page for editing.
I switch the page id to 5, refresh the page and get the third flag:
When editing a page, I notice that the page id is passed in the URL. I test this parameter for SQL injection by placing a ‘ (single quote) at the end of the id parameter and I get the second flag:
Flag3: Stored XSS
Since the input is reflected in the page, I have to find a way to bypass the markdown filter to execute XSS. After searching and trying different payloads, I come across this payload:
The payload executes successfully but there is no flag displayed.
Viewing the source code, I find the flag:
Thank you for reading. If you enjoyed this article.