.png)
4 months ago
29 BOOK THIS SPACE FOR AD
ARTICLE AD
No. of Flags to Find : 4 | Skills Required : Web
So, a new challenge and from 1 we have been directly promoted to find 4 flags! Wonder how that's gonna go!
Since it says 4 flags, I will be assuming these are four different flags, meaning one would not show for the same thing twice! So let's get prepared to be tested.
Once we start the lab, first thing, it’s going to take some time so have patience. Then we are introduced to the test-arena. 2 links, and 1 Create New Page Option.
1. The SQLi
When we go to the first site, Testing, it says some stupid things, showing some minor info if we look carefully. Look at URL, & if you look at the page source as well, you'll come to notice that each page has an id parameter, valued numerically.
A simple payload of ' at the end of URL revealed one of our Flags.
2. XSS 1 — <script>
Now that we are done with SQL Injection, let’s try some XSS. On Create New Page, we see that we can make new page and its content, will be stored in Markdown format.
Below there, it clearly states ‘no scripts allowed’. After testing all kinds of script tags in the content, it dawned on me that maybe the title can keep a script tag. I made a simple payload:
Hello<script>alert('Possible_XSS')</script>with this in Title of our note, I proceeded and when I returned to home page, the payload worked like a charm! Got our second Flag
3. XSS 2 — Event_handler()
Moving on to our next flag, we visit our second default site, the Markdown one. Over there, we find nothing much of our interest, a cat photo-text and an html button that does nothing.
But when we go the edit section of the same page (there’s an edit page link for every page on our test-arena), we see that the button could be a possible vector of an XSS, since we already know that no scripts are allowed in our note.
We create an event_handler by altering our button tag:
<button onclick=alert('XSS_Event-Handler_btn-clk')>SAVE</button>Once done editing, we save and go back to our Markdown note, click on button and VOILA, it runs! But wait, no flag though! Hmm….🤔 Let’s inspect our page,… Oh! There you are, you little devil! The flag can be found in the source.
4. 403 — Unauthorized Access
This one was tad bit difficult to find, since it does not present itself indirectly unless we make a page, or a few, just for test purposes.
If you looked at the source of each page, and how they were ID’d, you’d see that the Default ones started from 1 & 2 but the page we make started from a random number, not far from previous ones, but there is a gap in IDs.
But when you make another note, it is sequenced right after your previous, custom note! What does it mean???
Probably, some IDs have been kept reserved. What do we do then? We access them one by one by altering the ID in our URL.
By now, there are few things that should have been taken as Default.
How pages are indexedendpoint point for each main page and it’s edit page has a difference of one directory in the URL which is .../edit/... at the end of it.While you are testing the IDs, apart from one, all will give common response such 404 Not found or something. BUT one will give 403 - Unauthorized Access or something similar like Access Not allowed. That's our target. If you read what it says, only read allowed by users permitted. or something similar.
Since we cannot access the contents of page anyway, we take out big guns. Meaning, we edit the URL and add /edit/<unauth_id> where unauth_id is your endpoint for this unauthorized page.
And you’ll find your last flag there! Congrats on completing your second CTF on HackerOne!
Moving on to the Next CTF >> L2 : L2 — Micro-CMS v2
Bengali (Bangladesh) · 
English (United States) ·