Micro-CMS v2 – Hacker101 CTF – @lautarovculic

Difficulty: Moderate

Skills: Web

Flags: 3

Flag 1/3

The /page/1


This version fixed the multitude of security flaws and general functionality bugs that plagued v1. Additionally, we added user authentication; we’re still not sure why we didn’t think about that the first time, but hindsight is 20/20. By default, users need to be an admin to add or edit pages now.

Here (/login) is.

So I’ll try an SQL Injection.

After try the following payload:

					admin' UNION SELECT 'lautaro' AS password FROM admins WHERE '1' = '1

Password: lautaro

We get an 200 response.

Now we are admin an we can can see this page:

And get the flag 😄

Flag 2/3

Try create a new page:

The page will be save in /page/4

Remember that when we edit a page, we are redirect to the login.

So, we can do a Bypass Authentication.

If we try edit the page, and press on the save button, we will get an error.

Let’s inspect that with Burp

With options we can see that OPTIONS, HEAD, POST, GET are supported.

But playing with the methods, in Burp I have problems, so we can try send a POST to the edit page.

					curl -X POST "https://<sub>.ctf.hacker101.com/page/edit/4"

Flag 3/3

The last flag.

If we read the code comment in the first flag when we inject the SQL code, that say:

					<!-- You got logged in, congrats!  Do you have the real username and password?  If not, might want to do that! -->

So let’s dump the database, we already know that is vulnerable to SQLi! 😄

For that we can use sqlmap with this simple command:

					sudo sqlmap -u https://<sub>.ctf.hacker101.com/login --method POST --data "username=FUZZ&password=" -p username --dbs --dbms=mysql --level 2 --dump --random-agent

This has take a long time.. But here we get the credentials.

Now, we try log in /login

And we get the flag.

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *