My first CTF write up — HackerOne(hacker101 Micro CMS v1)

On my journey into infosec, I came across the platform called “HackerOne”. With a name like that, I knew I was in the right place. HackerOne graciously provided a platform to practice my web application penetration testing skills. Armed with my knowledge of web development. I dove into an attempt at my first Web Application CTF.

Platform: Hacker101

CTF Name: Micro CMS v1

Opening page:

On the first load of the application, I saw functionality to create and edit posts. I saw that the user has the ability to alter the pages, and how the user could interact with the application. I start my methodology by mapping the whole web app. Looking for points of vulnerability.

Flag 0:

The first flag was found in the ability to edit a page that the user did not create. The pages were created with the path “/page/10”. I then began manually decrementing the page number in the URL. I saw that page 6 fed me back a forbidden response. I then realized that the URL path to edit the posts, was similar to that of the page index and that I should attempt to alter the forbidden page. This revealed flag 0.

Flag 1:

I gained this flag by altering the “edit” a tag HTML element. I originally attempted a directory traversal up the server to no avail. I then altered it to take “`” as the hyper reference. This revealed a page housing flag 1.

Flag 2:

With the knowledge that input is not sanitized, I decided to try my hand at a simple XSS payload. I embedded an alert into a script tag and fired it off, this revealed flag 2.

Flag 3:

On examination of the edit page, it was revealed that the edit form had the ability to render HTML elements and that elements could be altered in said form. I then crafted a button tag to render a button that had an on click function. This revealed flag 1 in the dev tools.

In conclusion, I must say this was a beneficial exercise to jump into the world of Web Application CTF’s. I will be honing my skills further on this platform.

Happy Hacking!

-c1t0_ba5h