Hacker101 CTF - Postbook Walkthrough

Postbook is a beginner-friendly, easy difficulty Web CTF from the Hacker101 CTF platform.
This CTF contains seven hidden flags, and In this walkthrough, I will guide you step-by-step through the process of uncovering each flag.

Postbook CTF description

So, click on the ‘start’ button and let’s find the first flag! (:

When entering the CTF, you’ll encounter a welcoming page offering sign-in and sign-up options:

Postbook’s welcome page.

Since I don’t have a user, I’ll create one and log in:

Create a user.

Log in with the user you created.

With access gained, I can now explore a variety of new features. I’ll test these functions to uncover anything of interest.

I’ll start with creating a new post:

Create a new post.

I’ll use Burp Suite to intercept and modify my requests.

Burp Suite is a valuable tool for exploring and exploiting vulnerabilities in web applications. It allows for interception and manipulation of web traffic, enabling the discovery and exploitation of security weaknesses.

To intercept requests using Burp Suite, navigate to the ‘Proxy’ tab, click on ‘Open browser,’ and access the CTF’s site through this browser.

Navigate to the ‘HTTP history’ tab and examine the requests.

While examining the POST request, I identified an interesting parameter that caught my attention:

Interesting parameter inside the POST request.

This is interesting because the value of this parameter is expected (not a hash or a random number), and since my user_id is 3, and I’m the newest user, I’ll try to modify the ‘user_id’ value to ‘1’ or ‘2’ and observe the responses.

In order to modify the request, I’ll send the request to Burp’s Repeater:

Right-click on the POST request and choose ‘Send to Repeater’.

I’ll modify the ‘user_id’ value to ‘1’ and send it:

Modify the request and click on ‘Send’.

Click on ‘Follow redirection’.

Observed the ‘message’ value and capture the flag.

Captured the first flag! 🚩

1 / 7 🚩

Let’s move on to the second flag.

I noticed two existing posts:

2 pre-existing posts.

After clicking on the link to the first post, I observed an interesting parameter in the URL:

Interesting parameter in the URL.

Similar to the earlier parameter we encountered, the ‘id’ parameter in this case also appears to be predictable. Based on this observation, I’ll attempt to enumerate additional post IDs.

To do so, I’ll use Burp’s Intruder:

Right-click on the GET request and choose ‘Send to Intruder’.

Mark the id value and click on ‘Add’.

In the ‘Payloads’ tab, change the payload type to ‘Numbers’, set the range to 0–1000 and click on ‘Start attack’.

Intruder’s results.

Analyzing the length of the responses led me to identify valid post IDs; specifically, those responses exceeding 1500 in length indicate requests with valid post IDs. So, my next step is to access these posts by altering the ‘id’ value in the URL to the identified valid IDs.

I’ll begin by exploring the post ID value ‘945’, as it appears to be the most interesting among the identified IDs:

Modify the ‘id’ value to ‘945’ in the URL and capture the second flag.

Captured the second flag! 🚩

2 / 7 🚩🚩

Next, I’ll test the value ‘2’:

Modify the ‘id’ value to ‘2’ in the URL and capture the third flag.

Captured the third flag! 🚩

3 / 7 🚩🚩🚩

Let’s move on to the next flag.

I observed two additional functions available — ‘edit’ and ‘delete’:

‘edit’ & ‘delete’ functions.

I’ll test the ‘edit’ function first:

The ‘id’ parameter appears again in the edit posts’ URL.

The ‘id’ parameter appears to be a common element here as well, so maybe I can edit other users’ posts by altering the ‘id’ value to one of the post IDs I previously identified.

I’ll modify the ‘id’ value to ‘2’ and observe the response:

Modify the ‘id’ value to ‘2’ and press Enter.

It worked!

I’ll edit and save the post:

Edit and save the post.

Capture the fourth flag.

Captured the fourth flag! 🚩

4 / 7 🚩🚩🚩🚩

Next, I’ll test the ‘delete’ function:

Click on ‘delete’.

I observed that the GET request also includes the ‘id’ parameter, yet intriguingly, its value differs from previous instances:

The ‘id’ parameter is present once more in the request, but this time with a distinct value.

After conducting a basic Google search, I identified that this particular value is in fact an MD5 hash.

The results from a Google search suggest that the value associated with the ‘id’ parameter is likely an MD5 hash.

Knowing now that this value is an MD5 hash, I’ll attempt to decrypt it using a random MD5 decryption website.

Decrypt the MD5 hash of the ‘id’ value using the website https://10015.io/tools/md5-encrypt-decrypt (you can use other websites if you wish).

The ‘id’ value is 4!

I’ll MD5 encrypt the number ‘2’ and then modify the GET request:

Encrypt the number ‘2’ and copy the output.

Modify the ‘id’ value in the GET request and send the request.

Observe the ‘message’ value and capture the fifth flag.

Captured the fifth flag! 🚩

5 / 7 🚩🚩🚩🚩🚩

Let’s move on to the next flag.

I observed that all the requests also include a cookie value, which, interestingly, is also an MD5 hash:

The Cookie ‘id’ parameter contains an MD5 hash value.

The Cookie ‘id’ value is identical to the one I previously encountered, indicating that the ‘id’ value in this context is also ‘4’.

I’ll MD5 encrypt the number ‘1’ and modify the ‘id’ value:

MD5 encrypt the number ‘1’ and copy the output.

Modify the ‘id’ value and send the request.

In the response, scroll down and search for the flag.

We’ve successfully captured the sixth flag! Only one final flag remains to be found! 🚩

6 / 7 🚩🚩🚩🚩🚩🚩

Let’s move on to the last flag! (:

I observed that there is a user called ‘user’ on the website:

A user called ‘user’.

I’ll attempt to brute-force the password for the ‘user’ account using Burp Suite’s Intruder:

Log out of your current account, then sign in using the username ‘user’. Enter a random password and click on ‘Submit’.

Right-click on the POST request and choose ‘Send to Intruder’.

Mark the password value and click on ‘Add’.

In the ‘Payloads’ tab, click on ‘Add from a list’.

Choose the ‘Passwords’ option and click on ‘Start attack’.

Intruder’s results.

After analyzing the status codes, I’ve determined that the password for the ‘user’ account is ‘password’. The password is not case-sensitive, meaning variations like ‘Password’ and ‘PASSWORD’ are also valid.

With the ‘user’ account password now known, I’ll proceed to log into the user’s account.

Log in to the user’s account and capture the final flag.

Success! Captured the seventh and final flag! 🚩

7 / 7 🚩🚩🚩🚩🚩🚩🚩

Thank you for taking the time to read this walkthrough, and I hope that it has been informative and valuable to you.

Happy hacking! 🖤