Hello Reader, Hope you are doing well.
Trivial (1 / flag) - A little something to get you started
View the source code. It should be something like this.
We can see that background image has a URL link. "Background.png".
Lets try to visit this link: http://18.104.22.168/26be3662fe/background.png
Easy (2 / flag) - Micro CMS v1
We can observe that we can create and edit published pages.
Let's create a new page, we can observe that it redirects directly to the created page. That means the server communicates with database. There might be injection here. After a few tries I came across this on the edit page.
<img src=’abc' onclick=’alert(1)’>’
After observing, the page ID of the two default pages are 1 and 2, and the article ID of pages we created manually starts from 8. I tried to visit all the missing page IDs manually. It was discovered that all pages showed a 404 error except for page ID 5, which showed a 403 Forbidden error.
Let's try to access this page by 'edit' URL.
Let's try XSS in the input box. I tried a simple script tag.
At first, nothing happened but when I clicked on "Go Home" link. The flag popped up.
After XSS was identified in the title section, I tried to execute it in the content text box. After a few tries I observed that <script> tags were not allowed. So I tried following Payload: <IMG SRC=# onmouseover="alert('xxs')">
Moving your cursor over the image, XSS will be executed.
But I still did not get the flag. For that, I opened the page source of this page.
Moderate (3 / flag) - Micro CMS v2
When we click in "Create a new page", it takes us to login screen.
Try to add an inverted comma to it and we see that it throws an exception.
After trying a few SQL injection payloads I tried this one:
Username: ' UNION SELECT 'admin' AS password# Password = admin
This basically executes the following SQL Query: SELECT password FROM admins WHERE username='admin' UNION SELECT 'admin' AS password#
And we are able to login. Now open the "Private page" on home page and we get the flag.
Let's take a look at the hints, which stated:
- What actions could you perform as a regular user on the last level, which you can't now?
- Just because request fails with one method doesn't mean it will fail with a different method
So lets try to visit the edit page with normal user. We can see that it redirects us to the login page. Let's capture the request and try to modify the methods.
Let's replace GET method with POST method. And we get the flag.
The hint states that "Credentials are secret, flags are secret. Coincidence?", So Lets try SQL Injection to retrieve the contents of the database. Run the following command on sqlmap:
sqlmap http://22.214.171.124/e48623ef7c/login --data "username=a&password=b" --dbms=mysql --dbs
This database "level 2" seems interesting. Let's try to enumerate further.
sqlmap http://126.96.36.199/e48623ef7c/login --data "username=a&password=b" --dbms=mysql --dbs -D level2 -T admins --dump
Let's try to login with these credentials and we get the flag.
Hard (9 / flag) - Encrypted Pastebin
To be updated....