Sunday, June 14, 2020

Hacker101 CTF: Micro-CMS v2 - Part 3

I didn't know what to do here. So, looked a hint which was
Credentials are secret, flags are secret. Coincidence?

I have no idea what it is but my guess is that secret credentials needs to be obtain to get this last flag. What options do I have? SQL injection to dump the database. The thing that we know by now is, there is a table called admins. I did a hit and trial with multiple cases

Trial 1
username: admin' OR '1' = '1
password: random
result: invalid password

Trial 2
username: user
password: random
result: invalid user

Conclusion at this point: There is a table admins with username and password column. Also, admin is one of the user in that username.

Trial 3
username: admin' OR 1=1--
password: random
result:

Traceback (most recent call last):
  File "./main.py", line 145, in do_login
    if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 255, in execute
    self.errorhandler(self, exc, value)
  File "/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 50, in defaulterrorhandler
    raise errorvalue
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1")












at





25 comments:
  
















































Hacker101 CTF: A little something to get you started











Hacker101 is one of the best when it comes to bug bounty. With the intent to brush up my skills to become a good bug bounty hunter, I have started Capture the Flag (CTF) from Hacker101. In its learning path, the very first challenge we get is

  • A little something to get you started

When you click Go, you get to the following page

At first, it feels like there is nothing to do here. Trust me. I felt the same. No any buttons to click and no any things to do. Just the text "Welcome to level 0. Enjoy your stay."


So, I began to play around, honestly! I started with manipulating given URL: http://35.190.155.168/bf06d4167c
i.e. changing bf06d4167c values to random number. And then adding some stuff to this URL bf06d4167c/abc etc. I know this was not a smart move. Just gave it a try. 


Since, nothing seemed to work, then, I clicked on Developer Tool.

Even here nothing will be obvious in the first look. Again some play around. I saw background-image mentioned in the body section, but nothing can be seen there. So, i searched for background.png in the url itself as: http://35.190.155.168/bf06d4167c/background.png

Voila! there is the flag.















at





14 comments:
  























Labels:
,
,
,


























Hacker101 CTF: Micro-CMS v1 Part 2











Now moving on to the next challenge.


Here we have something to click on :D. First what I did was clicked on all


Testing had some static text, while Markdown Test included one button but nothing was working there. Next, in create page there was some form we can fill up. This looks exciting, because form means we can inject some XSS script. But this needs to be tested, so what I did was, created a page with title "Just for Fun" and description "This text is written just for fun." and the effect was? My text was stored there and home page had indexed my title as well.


This indicates that store-XSS could be possible. So let's create a new page and include XSS thing in the title.
XSS Test<script>alert(1);</script>

The page will be created. Now if you go to your home page Voila! there is a flag.


To get the flag you can also edit the page you created last time to include script like above.














at





16 comments:
  























Labels:
,
,
,
,
,


























Hacker101 CTF: Micro-CMS v1 Part 1











Now moving on to the next challenge.


Here we have something to click on :D. First what I did was clicked on all


Testing had some static text, while Markdown Test included one button but nothing was working there. Next, in create page there was some form we can fill up. There are 4 flags to catch in this part of the exercise, which means each link should atleast give me one flag.

As I click on Testing, it gives me some static information. However, we can see an option to edit the page. So, let's edit.

First thing first, when we testing on web applications, the thing that we first need to look is SQL injection and XSS attack scenario. Let's go with the SQL injection.

If we look into the URL, it shows the identifier to the link. http://35.190.155.168/64fcf8db67/page/edit/1
To check injection, I will change add ' OR 1=1' -- to the given URL


Voila! there is a flag.














at





5 comments:
  























Labels:
,
,
,
,


























Hacker101 CTF: Micro-CMS v1 Part 3











Now moving on to the next challenge.


Here we have something to click on :D. First what I did was clicked on all


I created a page called Just for Fun. If you look the URL and the id, you will see 13. When another page was created, the id was 14. The id for Markdown Test is 2. So, where are other pages from 3-12? Let's check in turn.

404 Not Found Error


For all other id's 404 error was seen except for one.
This means that there is something in this id, it's just not available for us. We are not authorized to view this page. We don't have direct mechanism to access this page too. Let's find the workaround then. If you notice, for every page there is an option to edit the page. When we edit any page, we can see that identifier to the page we are trying to edit. Like for the Testing page http://35.190.155.168/64fcf8db67/page/edit/1

I will now change this 1 to 7 to see the behavior of the page http://35.190.155.168/64fcf8db67/page/edit/7

Voila! there is a flag. This is an example of unauthorized access.














at





3 comments:
  























Labels:
,
,
,
,


























Hacker101 CTF: Micro-CMS v1 Part 4











Now the last part of this exercise, finding the fourth flag.

Until now, we've tried manipulating URL and the Title. We have not yet touched the body part in edit page. My guess is, this is the place where final flag should be. For this, I edited Markdown Test. There is "some button" where user definitely will click at first glance itself. Due to this reason, if we can manipulate this button to store script, it would be ideal for us.

Also, edit page clearly shows that "Markdown is supported, but scripts are not". This means we can make use of makdown in the body part to manipulate button. Let's look for different options to change the button behavior.

Doing some random testing and many hit-and-trial, I finally landed in this script

<button onclick=alert('Scripted')>Some Button</button>

Then hit save. Click on Some Button now. Alert message is generated so XSS attempt is successful. Even with this flag is not seen in the screen. But the good news is we already have the flag. 
I have developer tools always open and each time I make any change, I make sure to check on all elements, just in case there is a flag. And this time it was!















at





1 comment:
  























Labels:
,
,
,
,


























Hacker101 CTF: Micro-CMS v2 - Part 1











This is the third challenge. Difficulty level is set to moderate and we need to find three flags.



The first thing I did was click on Micro-CMS Changelog. What it mentioned is "users need to be an admin to add or edit pages now." When I tried to edit, it took me to the login page. Ofcourse, no credentials were provided and we have to find a way around this. This is where the SQL injection could come in handy. I tried with very simple case of SQL injection

abc' OR '1' = '1 with some random password abc. This gave an error: "invalid password".

I looked for the hint at this point of time. First hint was "Regular users can only see public pages". This means to get the flag I need to get through this login page and access page which is not listed in public above. But still I couldn't figure out the mechanism to get through. So took another hint, which was "Getting admin access might require a more perfect union". Here it was the clue. I need to use the union operator to break this system. I tried following

username: bar' UNION SELECT "aaa" as password FROM admins where '1' = '1
password: aaa
Login was successful





There is private page now listed in the page. When I clicked there... Voila! the flag :D


I also took the last hint even though the things were done. It said
Knowing the password is cool, but there are other approaches that might be easier












at





2 comments:
  























Labels:
,
,
,
,


























Hacker101 CTF: Micro-CMS v2 - Part 2











I was a bit clueless here. So, I took hints. First was

  • What actions could you perform as a regular user on the last level, which you can't now?

So, in last level there was no authentication required to edit the page. Now there is this added step which is disallowing me to edit the page. To capture the first flag, I already used the SQL injection technique. This was no hint at all. Sought the next hint which was
  • Just because request fails with one method doesn't mean it will fail with a different method
This still isn't enough for me. I need to try to edit the page to get the flag. First option is to go through UI, which I already did. Next option now will be to use command line. I need to be sure now. Took the last hint too
  • Different requests often have different required authorization
Yes, command line should be used here. curl provides heaps of useful features like HTTP POST. I tried with following command

curl -v -X POST http://35.190.155.168/3ba49d9466/page/edit/2


Successful execution of this command will give me the flag I needed.














at





1 comment:
  























Labels:
,
,
,
,

















        

      









Subscribe to:
Posts (Atom)