Cyber Soldier | Software Engineer

29 April 2020

Hacker101 CTF Walkthrough: Micro-CMS v1

by Najam Ul Saqib

Here is the walkthrough for another CTF available on Hacker 101 is Micro-CMS v1
This CTF has four flags and I will walk you off through each one of them. Let's start!

This is the main page of the CTF where you have some options like you can create some pages, and read the already created ones.

Flag 0:

To find the flag0 you need to first create a page with some random content
After creating the page, you will be redirected to the page you just created showing the contents. Observe the URL at this moment. It will be something like:
Noticing that our page number has been assigned number 13 and by manually changing the page number you can access other pages.
Now click on Edit this Page button in the top right corner. Now observe the URL which will be like
So we know now that we can access a page in two ways, by simply hitting the page URL and by hitting the edit page URL. Remember this point!

Start playing with the page URL by adding random numbers to it e.g, and in doing so you will probably see errors like 
But keep entering different numbers from 1-10 and on page no. 6 you'll notice something different.
It's saying that you don't have permission to access this page meaning that there exists a page which we can't access by hitting the page URL, do you remember the other way to access a page? Right! Try accessing page 6 by hitting it in Edit Page URL which will be
and here is your flag!
It's a private page carrying our flag in it.

Flag 1:
This flag is about SQL injection, just hover to any page and click on "Edit this page", now add single quotation ( ' ) at the end of the URL i.e' and you will find your flag 1.

Flag 2:

For this flag, you need to know the concept of Stored XSS, Create a new page but this time don't write some random content in there rather add some XSS Payload like <script> alert("Stored XSS") </script> in the Title of the page and hit Create, a page will be created as usual. Just move to the homepage of the website. Reflected XSS worked! An alert event will occur giving you your flag 2.

Flag 3:

So finally we're on our last flag. This flag can be caught using Reflected XSS Payload but requires some in-depth analysis of the webpage.

As usual, just edit any of the available pages, we got our previous flag by writing XSS Payload in the title of the page, we forgot about description of the page, but writing <script> alert("Stored XSS") </script> straightforward will not work here. The server will sanitize the input and your script will not work rather you have to come up with another payload which is not detected by the WAF (Web App Firewall) of this website.

The payload that worked in my case was <img src='hello' onerror='alert("xss")'/> after writing this off and saving the page. A pop up will appear stating that your script worked

But this does not include a flag, don't worry just view the page source and you will find your flag :) This shows that how in-depth analysis you need to make to succeed in web app pen-testing.

tags: ctf - hackerone - walkthrough