ctf.hacker101 — Petshop Pro
We are starting our exercise with GO option at the end of the exercise title on https://ctf.hacker101.com/ctf
When we start the exercise, we see this is a shopping website which has a picture of a cat and a dog, but we can not see there is a login page. We are directly in the catalog page.
There is a standard shopping website areas “cart” and “add” sections, and after a code review we find an another directory as “static” and then we start the shopping.
At the end of the shopping steps, we see our products values in the code review, and try to change these values.
RESULT: The flag was captured.
And now we think about to find login page, and we know that there must be a login state before the shopping. In Burp Suite, click “Proxy” tab, we directly in the area of “Intercept”, and then with CTRL+I combination to redirect “Raw” data to “Intruder”. In the “Intruder” section click “Positions” area and choose the directory value. From “Payloads” section, we change the “Payload Type” as “Simple List”, in the “Payloads Sets”, then add the directory list from “Payload Options”. Then we click “Start Attack” and directory values will change automatically. In this way, “Request” and “Response” results will be listed, and then we order by “Status” to see HTTP 200. Then we review the “Response”
We find the login page but we don’t have any username and password so that we try to login as known information. But the website response only “Invalid username” information. At this point, we decided to get help from “hydra”
After a brute force attack to username, we reached the correct information but still we don’t know the password. And know the response changed as “Invalid password”
And we continue the same attack for password to known username, and finally we are in.
RESULT: The flag was captured.
We have admin username and password, so we can edit any information about the products. First of all, we try to change the information of product with a simple XSS, to understand there is a XSS or not. The website return our XSS, but we don’t know where is the affect. Because of this situation, we decide to add product to our cart and check it.
RESULT: The flag was captured.
