Hacker101 CTF Solutions

basic Mar 21, 2020

Hello Reader, Hope you are doing well.

The Hacker101 CTF is a game designed to let you learn to hack in a safe, rewarding environment. Hacker101 is a free educational site for hackers, run by HackerOne.

Trivial (1 / flag) - A little something to get you started

View the source code. It should be something like this.

We can see that background image has a URL link. "Background.png".

Lets try to visit this link:

Easy (2 / flag) - Micro CMS v1

We can observe that we can create and edit published pages.

Flag 1

Let's create a new page, we can observe that it redirects directly to the created page. That means the server communicates with database. There might be injection here. After a few tries I came across this on the edit page.

<img src=’abc' onclick=’alert(1)’>’

Flag 2

After observing, the page ID of the two default pages are 1 and 2, and the article ID of pages we created manually starts from 8. I tried to visit all the missing page IDs manually. It was discovered that all pages showed a 404 error except for page ID 5, which showed a 403 Forbidden error.

Let's try to access this page by 'edit' URL.

Flag 3

Let's try XSS in the input box. I tried a simple script tag.

At first, nothing happened but when I clicked on "Go Home" link. The flag popped up.

Flag 4

After XSS was identified in the title section, I tried to execute it in the content text box. After a few tries I observed that <script> tags were not allowed. So I tried following Payload:  <IMG SRC=# onmouseover="alert('xxs')">

Moving your cursor over the image, XSS will be executed.

But I still did not get the flag. For that, I opened the page source of this page.

Moderate (3 / flag) - Micro CMS v2

When we click in "Create a new page", it takes us to login screen.

Flag 1

Try to add an inverted comma to it and we see that it throws an exception.

After trying a few SQL injection payloads I tried this one:

Username: ' UNION SELECT 'admin' AS password# Password = admin

This basically executes the following SQL Query: SELECT password FROM admins WHERE username='admin' UNION SELECT 'admin' AS password#

And we are able to login. Now open the "Private page" on home page and we get the flag.

Flag 2

Let's take a look at the hints, which stated:

  • What actions could you perform as a regular user on the last level, which you can't now?
  • Just because request fails with one method doesn't mean it will fail with a different method

So lets try to visit the edit page with normal user. We can see that it redirects us to the login page. Let's capture the request and try to modify the methods.

Let's replace GET method with POST method. And we get the flag.

Flag 3

The hint states that "Credentials are secret, flags are secret. Coincidence?", So Lets try SQL Injection to retrieve the contents of the database. Run the following command on sqlmap:

sqlmap --data "username=a&password=b" --dbms=mysql --dbs

This database "level 2" seems interesting. Let's try to enumerate further.

sqlmap --data "username=a&password=b" --dbms=mysql --dbs -D level2 -T admins --dump

Let's try to login with these credentials and we get the flag.

Hard (9 / flag) - Encrypted Pastebin

Stay tuned.

To be updated....

Anmol Nayyar

I'm a Cyber Security Professional, assisting clients in enhancing their security posture by providing security consulting services. An information security enthusiast, actively enhancing my skill set.