This is the third challenge. Difficulty level is set to moderate and we need to find three flags.
The first thing I did was click on Micro-CMS Changelog. What it mentioned is "users need to be an admin to add or edit pages now." When I tried to edit, it took me to the login page. Ofcourse, no credentials were provided and we have to find a way around this. This is where the SQL injection could come in handy. I tried with very simple case of SQL injection
abc' OR '1' = '1 with some random password abc. This gave an error: "invalid password".
I looked for the hint at this point of time. First hint was "Regular users can only see public pages". This means to get the flag I need to get through this login page and access page which is not listed in public above. But still I couldn't figure out the mechanism to get through. So took another hint, which was "Getting admin access might require a more perfect union". Here it was the clue. I need to use the union operator to break this system. I tried following
There is private page now listed in the page. When I clicked there... Voila! the flag :D
I also took the last hint even though the things were done. It said
Knowing the password is cool, but there are other approaches that might be easier
abc' OR '1' = '1 with some random password abc. This gave an error: "invalid password".
I looked for the hint at this point of time. First hint was "Regular users can only see public pages". This means to get the flag I need to get through this login page and access page which is not listed in public above. But still I couldn't figure out the mechanism to get through. So took another hint, which was "Getting admin access might require a more perfect union". Here it was the clue. I need to use the union operator to break this system. I tried following
username: bar' UNION SELECT "aaa" as password FROM admins where '1' = '1
password: aaa
Login was successful
There is private page now listed in the page. When I clicked there... Voila! the flag :D
I also took the last hint even though the things were done. It said
Knowing the password is cool, but there are other approaches that might be easier
FULLZ AVAILABLE WITH HIGH CREDIT SCORES 700+
ReplyDelete(Spammed From Credit Bureau of USA)
=>Contact 24/7<=
Telegram> @killhacks
ICQ> 752822040
FRESHLY SPAMMED
VALID INFO WITH VALID DL EXPIRIES
*All info included*
NAME+SSN+DOB+DL+DL-STATE+ADDRESS
Employee & Bank details included
CC & CVV'S ONLY USA AVAILABLE
$1 for SSN+DOB
$2 for SSN+DOB+DL
$5 for High credit fullz 700+
(bulk order negotiable)
*Payment in all crypto currencies will be accepted
->You can buy few for testing
->Invalid or wrong info will be replaced
->Serious buyers needed for long term
PLEASE DON'T ASK ANYTHING FOR FREE
TOOLS & TUTORIALS AVAILABLE FOR SPAMMING, HACKING & CARDING
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
Ethical Hacking Tools & Tutorials
Kali linux
Facebook & Google hacking
SQL Injector
Bitcoin flasher
Keylogger & Keystroke Logger
Premium Accounts (Netflix, coinbase, FedEx, Pornhub, etc)
Paypal Logins
Bitcoin Cracker
SMTP Linux Root
DUMPS with pins track 1 and 2
Smtp's, Safe Socks, rdp's, VPN, Viruses
Cpanel
Php mailer
Server I.P's & Proxies
HQ Emails Combo
*If you need a valid vendor it's very prime chance, you'll never be disappointed*
CONTACT 24/7
Telegram> @killhacks
ICQ> 752822040
Myclassnotes: Hacker101 Ctf: Micro-Cms V2 - Part 1 >>>>> Download Now
ReplyDelete>>>>> Download Full
Myclassnotes: Hacker101 Ctf: Micro-Cms V2 - Part 1 >>>>> Download LINK
>>>>> Download Now
Myclassnotes: Hacker101 Ctf: Micro-Cms V2 - Part 1 >>>>> Download Full
>>>>> Download LINK z5
This comment has been removed by the author.
ReplyDeletei was tricked into a crypto scam that swept me off my savings not until i found ethicalhackers009@gmail.com whatsapp +14106350697 they helped me recover my crypto back fully contact them for any hacking services and thank me later
ReplyDeleteHIRE Btc Hacker Web Recovery TO RECOVER YOUR LOST BITCOIN
ReplyDeleteIf you’ve lost your Bitcoin to an online scam, hiring a professional recovery service can significantly improve your chances of getting your funds back. Btc Hacker Web Recovery specializes in Bitcoin recovery, helping victims reclaim their stolen assets. Here’s what you need to know:
Understanding the Recovery Process
The recovery process begins with contacting Btc Hacker Web Recovery. Their team will guide you through the steps necessary to initiate an investigation into your case. Understanding the process is key to managing your expectations.
Documenting Your Case
To facilitate recovery, it’s essential to document all relevant information regarding the scam. This includes transaction records, wallet addresses, and any communications with the scammer. Btc Hacker Web Recovery will help you gather this information to build a strong case.
Investigation and Tracking
Once you hire Btc Hacker Web Recovery, their experts will begin investigating your case. They use sophisticated tools to track the stolen Bitcoin, identifying the paths taken by the scammers. This tracing is crucial for successful recovery.
Freezing Stolen Assets
Quick action is vital in recovering stolen Bitcoin. Btc Hacker Web Recovery works directly with cryptocurrency exchanges to freeze any stolen assets, preventing the scammers from cashing out your funds. This collaboration is essential for a successful recovery.
Legal Support and Guidance
If necessary, Btc Hacker Web Recovery can provide legal support. They will guide you on reporting the scam to law enforcement and assist in filing any legal claims. Their expertise in crypto-related cases ensures you receive the best advice on how to proceed.
If you’ve lost Bitcoin to an online scam, don’t hesitate. Hire Btc Hacker Web Recovery to recover your lost assets and regain your financial security.
( btchacke@cyberservices.com )
Telegram: @Btchackercyberservices
I attempted to put my savings in a forex broker's transaction during the Pandemic. Since then, I've been attempting to withdraw my savings and have been requested to pay fees and taxes each time. On June 30 of last month, I learned that it was all a hoax, and I have already lost $148,000. zarchxbt was recommended to me by a friend who is quite knowledgeable about the internet. I sent them an email, and they requested that we communicate over WhatsApp. I followed their instructions. After 32 hours of contacting zarchxbt@gmailcom, I received a notification on my phone that my funds had been returned in full and without any stories. I am writing this because a large number of people have reported being scammed online while attempting to retrieve their money. Please send an email to zarchxbt@gmailcom or identify yourself as Eli Foster.
ReplyDeleteGood day to you and thank you for your interest in buying Gold Dust and bars from us. We are a mining company in South Africa. We have a capacity to produce between 50-250kgs of Alluvial Gold dust We have now approximately 145kgs ready for sale. We need a very serious buyer
ReplyDeleteDESCRIPTION
PRODUCT - ALLUVIAL DUST
QUANTITY - 145 KILOGRAMS
QUALITY - 22 CARATS+
PRICE - $95,000 A KILO
ORIGIN - SOUTH AFRICA
PURITY - 92.92%
SHIPMENT: The shipment will be carried out by a freight and forwarding Agent based here in South Afica, If you can get me a buyer for my gold , I will pay you a commission for this, just get us a serious buyer. We would like your buyer to come down to South Africa if possible to inspect and see the gold he/she wished to buy.
Please any interested person or company should kindly contact us via whatsapp +27783230039
Thanks for your cooperation.
Regards,
Mr Johnson Mongambo
Director
I just want to encourage all individuals out there living with HERPES , ITCHY SHINGLES , Genital Herpes, HSV1&2, HIV/AIDS/ HPV, COPD, CANCER, Hepatitis b, Lupus, PCOS, Kidney failure, Lung cancer and a lot more. That there is still a huge chance that you can get cure only with the help of herbal medicine cause herbal medication is the only medication that has proven right to have cured those diseases/infections listed above successfully and am a living testimony to that effect, cause i got rid of herpes successfully with herbal medicine i got from Mr Palmer herbal home. CONTACT Him via; georgepalmer355@hotmail.com and thank me later.
ReplyDeleteGood day to you and thank you for your interest in buying Gold Dust and bars from us. We are a mining company in South Africa. We have a capacity to produce between 50-250kgs of Alluvial Gold dust We have now approximately 145kgs ready for sale. We need a very serious buyer
ReplyDeleteDESCRIPTION
PRODUCT - ALLUVIAL DUST
QUANTITY - 145 KILOGRAMS
QUALITY - 22 CARATS+
PRICE - $95,000 A KILO
ORIGIN - SOUTH AFRICA
PURITY - 92.92%
SHIPMENT: The shipment will be carried out by a freight and forwarding Agent based here in South Afica, If you can get me a buyer for my gold , I will pay you a commission for this, just get us a serious buyer. We would like your buyer to come down to South Africa if possible to inspect and see the gold he/she wished to buy.
Please any interested person or company should kindly contact us via whatsapp +27783230039
Thanks for your cooperation.
Regards,
Mr Johnson Mongambo
Director