Home Hacker101 - Micro-CMS v1 writeup
Post
Cancel

Hacker101 - Micro-CMS v1 writeup

There are 4 flags (= at least 4 vulnerabilities) in this website. We need to hunt them all.

The landing page is :

We can create our own page using Markdown.

Flag 1 - Stored XSS on Title

An XSS in the Title input:

Flag 2 - Stored XSS on Body

The <script>alert(1);<script> is filtered in the page body.
However we can use the <img> tag and trigger the XSS:

Flag 3 - Broken access control

We notice that the posts we create are indexed sequentially starting from 10. The indexes between 3 and 9 (included) are not used. This is indeed a strange behavior.

So, we try to access those indices using ffuf

As we can see, we get a weird 403 for the index 7,namely http://35.190.155.168/eed29828c5/page/7

Since we are forbidden the access to such resource, we can try to check whether we can access it in other ways.

The website offers the possibility to edit previously created pages. So we can try to edit the page at index 7 by visiting the page /eed29828c5/page/edit/7.

The access to the resource is not forbidden this time and we there we find our flag

Flag 4 - Tweaking url inputs

We try to think about the url inputs that may not be hardcoded in the web app.

Since the page ID may be one of those, we try to replace the expected integer with a special character.

We surprisingly get the flag when we provide a single quote '.

Probably the application is crashing due to SQL injection and prints the flag to the page as error.

This post is licensed under CC BY 4.0 by the author.