CTF — Hacker101 —Micro-CMS v2
After completing the first one (Micro-CMS v1 — easy level) I came across v2 that was more challenging and took some time.
Let's start.
FLAG0
As you can see, in v2 they added an authentication process and in order to create and edit pages, you have to login first.
I tried to play around on the login page (http://xxxx/yyyyy/login) and noticed that the username is vulnerable to SQL injection.
So we will use SQL injection here and I had to decide whether to do it the manual way or the automated way (SQLMAP).
After seeing the third hint, which caught my eyes, I decided to do it the manual way.
The hint try to tell us that sometimes, we don't have to know the password in order to log in, of course, we can Brute-Force our way around and find the credentials (which we will do later on this session), but we can do something that's called “Login Bypass”.
By modifying the username & password as the following, we will bypass the login successfully:
username=admin’ UNION SELECT ‘PlayerX’ AS password FROM admins WHERE ‘1’ = ‘1
password=PlayerX
Using these “credentials”, the query that the server will run will be:
SELECT password FROM admins WHERE username='admin' UNION SELECT 'PlayerX' AS passwordTrying this in Burp, I got 200 OK and I noticed that I was managed to successfully log in.
After logging in successfully I noticed that now I have access to a private page, which I didn't have access to before I logged in.
Going to this page, I got the first flag! (In the third flag we will see another method to get this flag).
FLAG1
So let's assume that we want to edit a page as we did in v1.
We already know that in order to perform such action we have to first authenticate ourselves, so say we weren't familiar with the method described in flag0 and we didn't find credentials in order to log in, this means we will never be able to edit a page, right?
If one method didn't have any luck, let's try another method in order to be able to edit a page without being authenticated, or in other words, lets “Bypass Authentication”.
Actually, it is really simple, we can use various ways, one of them is Curl.
By sending a POST request to the edit page in the web server using curl, I was able to bypass the authentication and get 200 OK instead of “301 Redirection” to the login page, and there is our flag!
FLAG2
Looking at the hint for this stage, we can assume that now we need to find the actual admin’s credentials in order to get our flag.
So if we used the manual way in flag0, here I chose to use the automated way using our beloved SQLMAP.
PoC:
- By using Burp, catch a POST request to the login page using any credentials.
- Copy the content of the request to a text file and give it a name.
- The text file with the POST request suppose to look something like this:
4. Using SQLMAP: sudo sqlmap -r sqltest.txt — dump
5. Getting the admin’s credentials from the Database ‘level2’, Table ‘admins’:
Using these credentials to login and we got the last flag! Whoa!
P.S — As I mentioned before, we can get the first flag using this method as well. SQLMAP revealed to us the content of the ‘admins’ table, but it also revealed the content of the ‘pages’ table which includes the id, title and body of every page in the database, including the private page.
