24th October 2020
Hacker101 Micro CMS v1 Walkthrough

Hacker101: Micro-CMS v1 Walkthrough

In this post, I’m writing an article about the second CTF challenge from Hacker101 with the name Micro-CMS v1. Maybe this page is a bit more difficult to read because of the number of images and little text, I apologize for that.

Micro-CMS v1

DifficultyNameSkills
Easy (2/flag)Micro-CMS v1Web

On the start of this challenge, I landed on this homepage:

Hacker101 CTF Micro CMS v1 Write-up landing page
http://35.227.24.107/53006e494f/

Flag 0 – Stored XSS

To get to the first flag. I’ve poked some around and checked the ‘Testing’ and ‘Markdown Test’ pages and clicked some around. On the homepage, I can create a new page. I tried the title and body if they are vulnerable to XSS (Cross-site scripting). I set this payload in the title:

MyPage<script>alert();</script>
CTF Hacker101 Micro CMS v1 Walkthrough flag 0 xss
Checking if the title is vulnerable for XSS

After the creation of this page, I navigated back to the homepage and my payload got’s executed. The title is vulnerable to XSS. When I refresh the homepage the flag is visible.

CTF Hacker101 Micro CMS v1 Walkthrough Flag 0
Flag 0

Flag 1 – unauthorized access

In the URL bar, I see that every page has assigned a unique number (ID). The already existed pages got’s the ID 1 for ‘Testing’ and ID 2 for the page ‘Markdown Test’. The page I created for flag 0 has ID 10 assigned. There are some IDs missing.

CTF Hacker101 Micro CMS v1 Walkthrough enumeration flag 1
Enumeration for flag 1

If I add up from number 2 I get the error message at ID 6 that I do not have access to this page. This is quite interesting. It means there is a page with ID 6, but I don’t have access to view this page.

CTF Hacker101 Micro CMS v1 Walkthrough forbidden
access forbidden for page 6

I noticed that when I edit an already created page that the URL is changed to http://35.227.24.107/dc8c86ef94/page/edit/10. So, I added /edit/ in the URL and bingo! I got the second flag.

CTF Hacker101 Micro CMS v1 Walkthrough flag 1
Flag 1

Flag 2 – SQL Injection

This flag has taken me a while to found. After checking some pages and URLs I got a little bit stuck. I decided to check this website if it’s vulnerable for SQL Injection, and yes! it is. On the editing page, when I add a ‘ (single quote) at the end of the URL.

CTF Hacker101 Micro CMS v1 Walkthrough flag 2
Flag 2

Flag 3 – Stored XSS

And last but not least, flag 3. I found this vulnerability on the ‘Markdown Test’ page. As this page says, it is supporting markdown, but not scripts. Right, believe me, that’s a hint. I don’t understand how it’s possible, I overlooked this hint when I was looking for the previous flag.

I added this payload in the ‘onclick’ event:

alert(document.cookie)
Hacker101 CMS v1 Stored XSS
Flag 3

I clicked on the button, but for some reason, the flag was not showing up. By checking the source code the flag can be found.

Hacker101 Micro CMS v1 XSS Stored
Flag 3

Thanks for reading this walkthrough! I really enjoyed this CTF challenge.

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *