CaptureTheFlag
HackerOne CTF: Micro CMS v1
TL;DR
I enjoy reading articles about bug bounties. They’re extremely interesting. I find it fascinating how easy it can be to find bugs in a system, and sometimes the technical details are confusing I can’t even follow. But I have been shying away from bug bounties for too long I have decided to get started on it. To get started, I have enrolled on HackerOne and I am going through their CTF for some practice. I will be publishing the CTF solutions here for beginners who might need a nudge.
CTF URL: https://ctf.hacker101.com/ctf
A little something to get you started
This is a trivial challenge, as the name suggests. If you have any knowledge of web technologies you should be able to go through this within a minute.
Steps to attack
1. Start the challenge
2. You should see a web page written “Welcome to level 0. Enjoy your stay.”
3. Right-click on the page and go to view the page source
4. You should see the HTML code for the page. In that code, there is a link (url(“background.png”)) for the background image.
5. Copy that URL, background.png, and add it to the URL of the welcome page.
6 Your URL should look something like this
https://7bbdf75cf337a52254af095158c9543b.ctf.hacker101.com/background.pngand you should see the flag on that page
Micro CMS v1
This is an easy challenge. It contains 4 flags that you can find in different places. It contains simple web attacks such as XSS and IDOR.
Steps to attack
1. Start the challenge
2. You should see a page with 3 links, `Testing`, `Markdown Test`, `Create a new page`
Flag 1
1. Click on create a new page
2. You should see a page where you can add a title and content, then click create
3. Analyze the new page URL, you should see the indexing on the end of the page URL i.e.,
https://31f2d2953d58f9ac05d32e6f6953c859.ctf.hacker101.com/page/104. Go to “Edit Page” and notice that pages 3 to 9 are skipped and the new page is indexed 10
5. Try all the other pages by editing the URL index. This vulnerability is called Insecure Direct Object Reference which allows a user to have access to pages that they shouldn't otherwise have access to.
6. The flag will be displayed when you reach page 7 i.e,
https://31f2d2953d58f9ac05d32e6f6953c859.ctf.hacker101.com/page/edit/7Flag 2
1. Click the Testing page and go to “Edit this page”
2. The title section is vulnerable to simple reflected XSS
3. Edit the title to <h1>Testing</h1>
4. Click save then “Go home”
5. The flag will be reflected on the home page as an alert
Flag 3
1. This is a URL manipulation vulnerability. Click on any page.
2. Go the the “Edit this page” page
3. Add a closing quote on the URL so that the URL looks something like this
https://31f2d2953d58f9ac05d32e6f6953c859.ctf.hacker101.com/page/edit/10'PS: Notice the quote at the end of the URL
4. The flag will be revealed
Flag 4
1. The vulnerability here is that <script> is filtered but not attributed inside <>. This is again a Simple XSS. Open the “Edit Markdown” page
2. Where there is a button tag, replace it with the following:
<button onclick=”alert(‘xss’)>Some button</button>
3. Save the page and right-click to view the page source
4. The flag will be revealed
That is all for today. If you made it to the end, I hope you found it helpful. I will be publishing more, and if you have an interest in web application security and bug bounties, please follow through.
Did you know you can give up to 50 claps?
