.png)
3 months ago
18 BOOK THIS SPACE FOR AD
ARTICLE ADRECONNAISSANCE
Like we always start any of our CTFs or challenge or…. anything, we’ll start this one with some ACTIVE RECON. Doing our usual cocktail of 2 NMAP scans and 1 Directory Enumeration with GoBuster
NMAP — PORTS & SCRIPTSnmap --top-ports 50 <target_site_LINK> -oN nmap-ports.txtnmap -sC -sV -p443 <targer_site_LINK> -oN nmap-sC-sV.txt
Copy
I have put -p443 here, beforehand, because I ran these scans separately, and only one port came OPEN. Guess which one was it?
NMAP scans weren’t as fruitful as GoBuster scan this time!
GoBustergobuster dir -u <target_site_LINK> --wordlist /your/choice/of/wordlist -o gbstr-DRenum-m.txtCopy
This sprayed us with many kinds of endpoints, some of which were unavailable/hidden to us. Most important one was /login.
This one was an admin only login portal. Guess what we are gonna do next?
EXPLOITATION
Now that we have something solid to act upon, my last resort tool, which actually is last resort tool, HYDRA is brought to act on my behest.
Don’t worry! You’re welcome to try all sorts of things. It’s good opens up your mind options which you wouldn’t usually consider.
Try things like SQL Injection or XSS or other things, which you can think of.
FLAG 0
But before that, I suggest either check Elements tab from Dev-Tools, or intercept the login request on BurpSuite or CAIDO, whichever you prefer.
The info there WILL be needed in order to setup our hydra instructions to brute-force.
This command will be needed to twice, once for possible usernames, next for password, in this case particularly.
WHY? Because the response differs to usernames and password. It’s 2 step, first step is username check, second is password.
This should get you in, and the moment you get in, you are greeted with your flag0.
FLAG 1
This one is more or less something in itself to be found. I did it my way, you should mention how you did yours!
Since I am in, I tried to make a purchase, but it still failed. Although it did, just for the show, displayed my purchase. BUT, now that I am admin, I can most certainly EDIT prices.
Which I did! Changed price of one of the items to zero(0). Did the trick!
Got my flag1! There's another way to find this flag, but I won't mention it now!
YOU have to find it, if you can, after reading this, then DO comment how you found it! (HINT : Something you DO after eating food )
FLAG 2
This flag is the more accurate reason, for what I suggested on the top. Be OPEN to all options. Don't stay fixated, at least not in the beginning stages.
This flag was INDEED an XSS. But I had to check for hints in this flag, which upon reading, I felt embarrassed.... A lot!
The hints suggested it was a STORED XSS. But I was so fixated on finding a REFLECTED XSS or SQLi, that I totally forgot to even consider. Never do that!
This Stored XSS was pretty easy to find, once known that it IS there. Because we are logged in as ADMIN right now, we can edit item data. This is where it lies!
If you enter a script in the item name string, such as:
<script>alert('XSS')</script>I kept trying for it to be REFLECTED, but all I had to do was add the item with payload in name to cart, then check the cart! The stored XSS payload would get executed!
You do that and you get yourselves a sweet flag2.
Bengali (Bangladesh) · 
English (United States) ·