.png)
3 months ago
31 BOOK THIS SPACE FOR AD
ARTICLE AD
This one was some of fastest CTFs I have ever done! Seven flags are needed to be found, yet I was able to find 2 flags at once one time, but I also got stuck at some stupid places as well. Yeah! Can you believe it? Anyways, it's fun and a great experience.
No. of Flags — 7 | Skill required — Web
Flag 0
This one was by far the easiest to find. The fact that I was able to guess the password made me think that maybe the room is really that easy.
I don’t suggest doing this because it might give you false confidence like it did to me. Try other ways, try brute-forcing or find logic errors ( I'm giving you better paths to follow than simply guess. )
Still if you want to go through my path, my first guess was admin, and next was password which was INDEED the password! 😅
The moment you login, you get your flag!
Flag 1
I suggest you make a new user and make 2-3 random posts. They'll help you get some of the other flags!
I can suggest you one path which gives you one flag at this point, or another which gives you 2 flags. In case you want 2 flags, it will be flag 1 and flag 4.
Just Flag1If you want flag 1 only, open one of the posts you made as new user. Then in the URL, if you can see the parameters id, change it to any other number and see if it views other persons post. I suggest changing the id parameter to 1.
If the post id you enter is correct and someone else's post is made visible to you, you'll get the flag1.
2 Flags (Flag1 & Flag5)You can get another flag in a similar way. Instead of changing the id while viewing the post, change it while editing the post. This would give you 2 flags at once, flag1, as well as flag4.
If you check the hints, you’ll know why you got 2 flag. I was astounded myself for getting 2 flags!
Flag2
Not only you can view or edit other peoples posts, you create posts as other users as well.
With the user you created, go to the page where you make posts, TYPE a post, and BEFORE posting it, while INSPECTING (I use Firefox) in the Dev-Tools, I found a hidden <input> element passing user_id parameter.
This parameter contains your user-id. If you change it before hitting post, you make that post in the name of that user-id you stated.
Doing this gives you your flag2.
Flag3
This was the weirdest of all to think about. Funny enough, when I checked the hint, for some reason, I started thinking that, maybe one of the input parameters is vulnerable to XSS. 😂 Or SQLi or something more "complicated"!
What my stupid-brain didn’t think about, is of simply multiplying the given numbers in hint, and shoving the product at the id parameter. I was far from the idea of considering it as an endpoint.
Going to that endpoint would give you your flag3.
Flag4
I don’t think I need to explain how I got this flag. It’s pretty clear in the explanation of Flag 1 about how I got this flag.
Still I can repeat. This flag checks if you can edit someone else’s post, which CAN be done by changing the id parameter while making the edits, before hitting post.
Thus you have your flag4 .
Flag5
COOKIES, YAY! This flag can be obtained by logging in as admin, using cookies. Hints suggested that this site allows staying logged in with the help of cookies.
What WE do, is sign-in as our user and in the STORAGE tab of our Dev-Tools, check for what kind of cookies we have. One of them is names as our username which has a random value.
But we know from Flag2 that our user-id has numerical value. Then what is it? Upon taking that string and using Hash-identifier to check if it is some sort of hash or not, we find that it actually IS the hash of our user-id.
Meaning, if we can get user-id of other users, hash it as MD5 ( that was the identified hash earlier ), put it in as the cookie value, we might be able to login as the user whose user-id we used.
Let me put it this way:
our user (let say, user-id=5) which in MD5 hash would be e4da3b7fbbce2345d7772b0674a318d5let say we want to change to admin ( let say, user-id=1) which would be c4ca4238a0b923820dcc509a6f75849b in MD5.So, we use the MD5 of admin, paste it in the cookie-value of OUR USER and refresh the page.
Now if you check the profile page, you’ll see that you are now logged in as admin ( well, based on case explained. Use actual values from site when doing this. )
And you have your flag5.
Flag6
This was by far the worst one I was looking for but couldn’t find. WHY? Stupid-brain again! Turns out, I was unable to understand the ENGLISH that was being used in hint.
What I realised later, is that, when posts can be made/edited as other users, they can be deleted as well!
Simple as that, ain’t it? I took me 4 websites to understand this, which was being said in the hint!
But now that we know what to do, we do it. Login as our created user, when deleting a post, we see how the page behaves, what kind of requests and responses we get.
When you are doing this kind of stuff, I suggest either do it while your NETWORK tab from Dev-Tool is open, or intercept the request using proxy like BurpSuite or CAIDO.
I prefer NETWORK tab, because smooth operation and silky response is my…. THING…
Now if you see the request made, you’ll see that the deleting request uses HASH of post id instead of the number. So, in order to delete someone else's post, all we need is the id of their post.
If we hash it, and use it in the URL instead of the selected the post, then THAT particular post get’s deleted instead of what CHOSE to delete at first.
You do that, and you get your one last FLAG, flag6.
With that, we are so done with this CTF! Hope you enjoyed my write-up! If you did, give claps to my story, share among people who YOU think might like my write-up, and I’ll see you soon, with another story.
Probably with lesser stupidity on my end!😅
Next CTF > L7 — Ticketastic: Demo Instance > Coming Soon
Bengali (Bangladesh) · 
English (United States) ·