In this post, I’m writing an article about the second CTF challenge from Hacker101 with the name Micro-CMS v1. Maybe this page is a bit more difficult to read because of the number of images and little text, I apologize for that.
|Easy (2/flag)||Micro-CMS v1||Web|
On the start of this challenge, I landed on this homepage:
Flag 0 – Stored XSS
To get to the first flag. I’ve poked some around and checked the ‘Testing’ and ‘Markdown Test’ pages and clicked some around. On the homepage, I can create a new page. I tried the title and body if they are vulnerable to XSS (Cross-site scripting). I set this payload in the title:
After the creation of this page, I navigated back to the homepage and my payload got’s executed. The title is vulnerable to XSS. When I refresh the homepage the flag is visible.
Flag 1 – unauthorized access
In the URL bar, I see that every page has assigned a unique number (ID). The already existed pages got’s the ID 1 for ‘Testing’ and ID 2 for the page ‘Markdown Test’. The page I created for flag 0 has ID 10 assigned. There are some IDs missing.
If I add up from number 2 I get the error message at ID 6 that I do not have access to this page. This is quite interesting. It means there is a page with ID 6, but I don’t have access to view this page.
I noticed that when I edit an already created page that the URL is changed to http://126.96.36.199/dc8c86ef94/page/edit/10. So, I added /edit/ in the URL and bingo! I got the second flag.
Flag 2 – SQL Injection
This flag has taken me a while to found. After checking some pages and URLs I got a little bit stuck. I decided to check this website if it’s vulnerable for SQL Injection, and yes! it is. On the editing page, when I add a ‘ (single quote) at the end of the URL.
Flag 3 – Stored XSS
And last but not least, flag 3. I found this vulnerability on the ‘Markdown Test’ page. As this page says, it is supporting markdown, but not scripts. Right, believe me, that’s a hint. I don’t understand how it’s possible, I overlooked this hint when I was looking for the previous flag.
I added this payload in the ‘onclick’ event:
I clicked on the button, but for some reason, the flag was not showing up. By checking the source code the flag can be found.
Thanks for reading this walkthrough! I really enjoyed this CTF challenge.