ctf.hacker101 — Micro-CMS v1
We are starting our exercise with GO option at the end of the exercise title on https://ctf.hacker101.com/ctf
We are seeing three different sub-page on the welcome page at the exercise.
Testing
Markdown Test
Create a new page
At this point, we clicked and checked the all sub-pages to understand how they are seeing. Then, we reviewed the code structure for main page and sub-pages by F12 or Inspect (CTRL+SHIFT+I) option on mouse right click.
When we examine the code structure, HTML coding is seen as below. There is an important point of this code review, sub-pages have a numbered-ID information.
<html>
<head>
<style class="vjs-styles-defaults">
.video-js {width: 300px;height: 150px;}
.vjs-fluid {padding-top: 56.25%}
</style>
<title>Micro-CMS</title>
</head>
<body>
<ul>
<li><a href="page/1">Testing</a></li>
<li><a href="page/2">Markdown Test</a></li>
</ul>
<a href="page/create">Create a new page</a>
</body>
</html>Firstly, we create a new page from “Create a new page” section. Then, we examine the this new page code structure, HTML coding is seen as below.
<html>
<head>
<style class="vjs-styles-defaults">
.video-js {width: 300px;height: 150px;}
.vjs-fluid {padding-top: 56.25%}
</style>
<title>New-Created-Page</title>
</head>
<body>
<a href="../"><-- Go Home</a><br>
<a href="edit/10">Edit this page</a>
<h1>New-Created-Page</h1>
<p>New-Created-Page</p>
</body>
</html>We need to pay attention some important information from this review.
When we reviewed the main page code structure, we have a sequential numbered-ID information, as “page/1”, “page/2” but the new page which was the created by us, has a non-sequential numbered-ID, as “page/10”
Besides this information, we changed the numbered-ID in the “page” directory, to see the other sub-pages, if the website has an another sub-pages. As you see, one of that pages has a different error message.
However, we have any other information for “edit” directory as “page” directory, so that we did the same technique.
RESULT: The flag was captured.
At the secondly, we know the sub-pages have a numbered-ID and based on this information we added the basic syntax at the end of URL to control the SQLi attack.
RESULT: The flag was captured.
Third of all, when we edit the sub-pages there is an information “Markdown is supported, but scripts are not”
One of these sub-pages have a button element, but it’s not working as well. At this point, we think that “the information” can be tricky.
As we know, in HTML codes button element must have function, basically click function.
In the edit section, we changed button codes as clickable, with this option, event occurs when we clicked on an element, but there is no changing on the page and we decided to review the code structure.
RESULT: The flag was captured.
Finally, we know that the pages support the scripts and the pages have a text box.
We edited the text box of one of the sub-pages and checked the XSS with the basic syntax.
When we saved the page, the edit only changed related web page information, and we don’t have any clue the reach the result, but we know that there might be another trick, as click function.
Thus, we decided to go back the main page because of we tried the edit the page.
RESULT: The flag was captured.
