Hacker101 CTF: A little something to get you started

Hacker101 is one of the best when it comes to bug bounty. With the intent to brush up my skills to become a good bug bounty hunter, I have started Capture the Flag (CTF) from Hacker101. In its learning path, the very first challenge we get is

• A little something to get you started

When you click Go, you get to the following page

At first, it feels like there is nothing to do here. Trust me. I felt the same. No any buttons to click and no any things to do. Just the text "Welcome to level 0. Enjoy your stay."

So, I began to play around, honestly! I started with manipulating given URL: http://35.190.155.168/bf06d4167c

i.e. changing bf06d4167c values to random number. And then adding some stuff to this URL bf06d4167c/abc etc. I know this was not a smart move. Just gave it a try. 

Since, nothing seemed to work, then, I clicked on Developer Tool.

Even here nothing will be obvious in the first look. Again some play around. I saw background-image mentioned in the body section, but nothing can be seen there. So, i searched for background.png in the url itself as: http://35.190.155.168/bf06d4167c/background.png

Voila! there is the flag.

Hacker101 CTF: Micro-CMS v1 Part 2

Now moving on to the next challenge.

Here we have something to click on :D. First what I did was clicked on all


Testing had some static text, while Markdown Test included one button but nothing was working there. Next, in create page there was some form we can fill up. This looks exciting, because form means we can inject some XSS script. But this needs to be tested, so what I did was, created a page with title "Just for Fun" and description "This text is written just for fun." and the effect was? My text was stored there and home page had indexed my title as well.


This indicates that store-XSS could be possible. So let's create a new page and include XSS thing in the title.

XSS Test<script>alert(1);</script>

The page will be created. Now if you go to your home page Voila! there is a flag.

To get the flag you can also edit the page you created last time to include script like above.

Hacker101 CTF: Micro-CMS v1 Part 1

Now moving on to the next challenge.

Here we have something to click on :D. First what I did was clicked on all


Testing had some static text, while Markdown Test included one button but nothing was working there. Next, in create page there was some form we can fill up. There are 4 flags to catch in this part of the exercise, which means each link should atleast give me one flag.

As I click on Testing, it gives me some static information. However, we can see an option to edit the page. So, let's edit.

First thing first, when we testing on web applications, the thing that we first need to look is SQL injection and XSS attack scenario. Let's go with the SQL injection.

If we look into the URL, it shows the identifier to the link. http://35.190.155.168/64fcf8db67/page/edit/1
To check injection, I will change add ' OR 1=1' -- to the given URL


Voila! there is a flag.

Hacker101 CTF: Micro-CMS v1 Part 3

Now moving on to the next challenge.

Here we have something to click on :D. First what I did was clicked on all


I created a page called Just for Fun. If you look the URL and the id, you will see 13. When another page was created, the id was 14. The id for Markdown Test is 2. So, where are other pages from 3-12? Let's check in turn.

404 Not Found Error

• http://35.190.155.168/64fcf8db67/page/3
• http://35.190.155.168/64fcf8db67/page/4
• http://35.190.155.168/64fcf8db67/page/5
• http://35.190.155.168/64fcf8db67/page/6
• http://35.190.155.168/64fcf8db67/page/8
• http://35.190.155.168/64fcf8db67/page/9
• http://35.190.155.168/64fcf8db67/page/10
• http://35.190.155.168/64fcf8db67/page/11
• http://35.190.155.168/64fcf8db67/page/12

For all other id's 404 error was seen except for one.

• http://35.190.155.168/64fcf8db67/page/7 (403 Forbidden)

This means that there is something in this id, it's just not available for us. We are not authorized to view this page. We don't have direct mechanism to access this page too. Let's find the workaround then. If you notice, for every page there is an option to edit the page. When we edit any page, we can see that identifier to the page we are trying to edit. Like for the Testing page http://35.190.155.168/64fcf8db67/page/edit/1

I will now change this 1 to 7 to see the behavior of the page http://35.190.155.168/64fcf8db67/page/edit/7

Voila! there is a flag. This is an example of unauthorized access.

Hacker101 CTF: Micro-CMS v1 Part 4

Now the last part of this exercise, finding the fourth flag.

Until now, we've tried manipulating URL and the Title. We have not yet touched the body part in edit page. My guess is, this is the place where final flag should be. For this, I edited Markdown Test. There is "some button" where user definitely will click at first glance itself. Due to this reason, if we can manipulate this button to store script, it would be ideal for us.

Also, edit page clearly shows that "Markdown is supported, but scripts are not". This means we can make use of makdown in the body part to manipulate button. Let's look for different options to change the button behavior.

Doing some random testing and many hit-and-trial, I finally landed in this script

<button onclick=alert('Scripted')>Some Button</button>

Then hit save. Click on Some Button now. Alert message is generated so XSS attempt is successful. Even with this flag is not seen in the screen. But the good news is we already have the flag. 

I have developer tools always open and each time I make any change, I make sure to check on all elements, just in case there is a flag. And this time it was!

Hacker101 CTF: Micro-CMS v2 - Part 1

This is the third challenge. Difficulty level is set to moderate and we need to find three flags.

The first thing I did was click on Micro-CMS Changelog. What it mentioned is "users need to be an admin to add or edit pages now." When I tried to edit, it took me to the login page. Ofcourse, no credentials were provided and we have to find a way around this. This is where the SQL injection could come in handy. I tried with very simple case of SQL injection

abc' OR '1' = '1 with some random password abc. This gave an error: "invalid password".

I looked for the hint at this point of time. First hint was "Regular users can only see public pages". This means to get the flag I need to get through this login page and access page which is not listed in public above. But still I couldn't figure out the mechanism to get through. So took another hint, which was "Getting admin access might require a more perfect union". Here it was the clue. I need to use the union operator to break this system. I tried following

username: bar' UNION SELECT "aaa" as password FROM admins where '1' = '1

password: aaa

Login was successful

There is private page now listed in the page. When I clicked there... Voila! the flag :D

I also took the last hint even though the things were done. It said
Knowing the password is cool, but there are other approaches that might be easier

Hacker101 CTF: Micro-CMS v2 - Part 2

I was a bit clueless here. So, I took hints. First was

• What actions could you perform as a regular user on the last level, which you can't now?

So, in last level there was no authentication required to edit the page. Now there is this added step which is disallowing me to edit the page. To capture the first flag, I already used the SQL injection technique. This was no hint at all. Sought the next hint which was

• Just because request fails with one method doesn't mean it will fail with a different method

This still isn't enough for me. I need to try to edit the page to get the flag. First option is to go through UI, which I already did. Next option now will be to use command line. I need to be sure now. Took the last hint too

• Different requests often have different required authorization

Yes, command line should be used here. curl provides heaps of useful features like HTTP POST. I tried with following command

curl -v -X POST http://35.190.155.168/3ba49d9466/page/edit/2

Successful execution of this command will give me the flag I needed.

Bug Bounty Program and Process

Bug Bounty

What Motivates Researchers?

• curiosity: it's the hacker mindset, people want to understand how things work, and they want to be able to manipulate it to the extent that they can get it to cause, or cause it to do things that it wasn't originally designed to do.
• cash: with bug bounties there's a cash reward in place
• social recognition: there's hall of fames, and leader boards, and all sorts of other things, which provide a testimony of the skill of an individual.

Bug Bounty Programs

• The most well-known of the crowdsourced security solutions which is build upon vulnerability disclosure programs with a competition-based testing model. And it leverages a community of white hat hackers at scale to deliver rapid vulnerability discovery across multiple attack surfaces.
• A bug bounty is a reward offered - either money or kudos - for vulnerabilities discovered within a set scope.
• Bug bounty programs utilize a pay for results model, ensuring you only pay for valid results. Through these programs, companies authorize researchers to not only identify vulnerabilities but to also provide proof of concept.
• It is protected under the terms and conditions that the researchers and company (and if using a third-party platform, that platform) have set forth.

How it works

• Engage global researchers: Incentivize a global community of security researchers from around the world to find vulnerabilities.
• Submission Triage and Validation: Triage and validate all incoming submissions to ensure an organization’s security team is focused on critical issues that present a real risk to the business.
• Submission Acceptance and Payout: Organizations review and confirm triaged submissions. At this time it is recommended to pay researchers for their findings.
• Fix Vulnerability and Verify: Integrate directly into software development to speed up the remediation process. Don’t forget to retest!

There are two types of bug bounty programs, private and public.
Private Programs: 

• Controlled testing environment with a small set of highly vetted and experienced researchers. 
• Elasticity to adjust researcher engagement and testing scope as needed.
• Ideal of targets that are not publicly accessible such as staging environments, applications that require credential access, or devices.

Public Programs

• Scale testing efforts to gain access to extensive skill set, diversity and coverage at scale.
• Heighten Security Awareness and reassure stakeholders security is a priority to your organization.
• Ideal for publicly accessible targets such as web and mobile applications or more complex targets like client-side apps and IoT devices.

Crawl, Walk, Run Approach

• Crawl: Launch private bug bounty with limited scope
• Walk: Transition to public program
• Run: Increase rewards, add targets, boost researcher engagement

Bug bounty programs can be run in both on-demand or continuous engagements.

• On-demand: A single point in time or periodic testing engagement that is best fit for an initial proof-of-concept, or as a replacement for periodic penetration tests.
• Ongoing: An ongoing testing engagement that is best fit for high-value targets or agile DevOps cultures where the application is changing continuously.

Advantages of Bug Bounty Programs

• Rapid Risk Reduction: Incentive-based testing motivates researchers to think creatively and find high-impact vulnerabilities that present the most risk to the business.
• Cost-Effective: A results-driven model ensures payment for the vulnerabilities that present a risk to the business, and not for the time or effort it took to find them.
• Lower Operation Overhead: A cloud-based, managed solution that seamlessly integrates into your existing SDLC delivering frictionless setup with zero maintenance.

Disadvantage

• Once the submissions start to come in, it’s easy to get overwhelmed. Organizations hardly have the time or resources to triage and validate incoming vulnerability findings from outside researchers. 

Staffing is a major consideration. Team with following skill-set is required

• Technical security assessment skills: must be able to reproduce complex vulnerabilities on different systems and platforms.
• Communication skills: This person is the broker between the security research community and internal engineering and development.
• Patience: The job is repetitive in nature and requires constant attention to both the researcher community and the submission process.

How to Launch a Successful Managed Bug Bounty Program

• Scoping:  know and understand your attack surface.  discuss your program goals unique to your business. Once you establish those goals, you’re ready to begin writing your bounty brief by setting your in-scope targets, focus areas, exclusions and incentive program.
• Implementing: Once your program brief has been clearly and thoughtfully articulated, spend time discussing bug bounty processes with the development team. These intake, remediation and communication processes may involve creating templates and workflows, or integrating with internal development tools. When everyone is on the same page, you’re ready to launch and promote your program.
• Receiving Bugs: As submissions start coming in, triaging is necessary to determine if a vulnerability is valid, invalid or duplicate.
• Remediating: Valid bugs must then be fed back into your development lifecycle and prioritized by criticality and in relation to existing development workload.
• Learning + Iterating: Because testing is continuous, it is important to reassess results and goals continually, adjusting your program to meet these targets by redistributing resources, improving rewards, or running additional programs. This continuous testing is also an excellent opportunity to learn to write better, more secure code.