Hacker101 – Cody’s first blog

Posted bybsderekPosted inHacker101 CTFTags:, ,

Today, I will be doing Cody’s First Blog from Hacker101. This challenge is on Moderate level and has 3 Flags to be discovered.

Flag 0: Found

home_cody

As the information given, we know that the blog is written in PHP and PHP function include() is some what useful for us. Then, we have this comment box to submit comments.

So, the first thing I do after seeing input box is XSS injection

<script>alert('1')</script>

Upon submitting, the input seems went through but no alert pop-up

submit

Conclude that, maybe XSS scripting does not work here. Since the blog is using PHP, why not try to put some PHP tags to see it works or not.

<?php phpinfo()?>

cody_f0

That was easy! πŸ˜‰πŸ˜‰πŸ‘¨πŸΌβ€πŸ’»

Flag 1: Found

underline_cody

View the page source, we can see that line 19 is commented out. Seems like we can access the admin page through that URL ending.

admin_cody

What if we change the URL to this,Β  will anything interesting happen?

?page=a

un_cody

As we can see that ‘a’ is used as a filename. So, for the first case ‘admin.auth.inc’ the include function should look like this [What is file inclusion? https://www.w3schools.com/php/php_includes.asp]

include(admin.auth.inc.php)

Therefore, we are able to conclude this. There are 3 files available which are ‘admin’, ‘auth’ & ‘inc’. Basically, the developer thought of having all 3 files and include them to save time and energy. Have you ever played jigsaw puzzle before? πŸ€—πŸ€— That is exactly what I gonna do.

?page=admin
?page=auth
?page=inc
?page=admin.auth
?page=admin.inc
?page=auth.inc

With ‘admin.inc’ page, we have successful got into the admin page without authenticate ourselves.

cody_f1

It seems like ‘auth’ page handles the authentication of the admin. After we remove the ‘auth’ page, we can bypass the authentication easily. Not easy but cool! πŸ€©πŸ€©πŸ‘¨πŸΌβ€πŸ’»

Flag 2: Found

Disclaimer: Due to my lack of knowledge and skills, I can’t complete the flag on my own. I try to put in my understanding into this.

https://github.com/testerting/hacker101-ctf/tree/master/codys_first_blog/flag2

Hint given:

  • Read the first blog post carefully
  • We talk about this in the Hacker101 File Inclusion Bugs video
  • Where can you access your own stored data?
  • Include doesn’t just work for filenames

Back to the error in Flag 1, we missed out some important information

id_cody

error

Memory error encounter, memory is overloaded.

Change the way of approach, what if we input URL instead of ‘filename’ to avoid overload the memory

include(index.php)
include(http://localhost/index)

For those who wonder why putting URL in include() function works https://www.php.net/manual/en/function.include.php

?page=http://localhost/index

idk

The scripts we put during Flag 0 is triggered!! πŸ‘¨β€πŸ’»πŸ‘¨β€πŸ’»

Let’s try out a bit more

<?php echo 'happy new year';?>

more

We can roughly conclude that we can run anything as long as enclose it inside the PHP tag. Since we know those, instead of access the file through URL. Why not print out the file instead.

<?php echo readfile("index.php")?>

After approving it in admin page, look at the ‘index’ page again

1502

“1502” is added!? Maybe we should go check out the source page.

cody_f2

Found the last flag in the source code. πŸ³οΈβ€πŸŒˆπŸ³οΈβ€πŸŒˆ

Anyways, Happy new year!!! πŸŽ‰πŸŽ‰Wish you find more bugs in new year πŸ¦—πŸœ

Published by bsderek

We are just 2 new authors doing writeup on related Cybersecurity topics to educate ourselves. We encourage you to leave a comment in areas where we can improve in terms of skills/knowledge. If we are incorrect in our writeup , please informed us and send us article to read to better educate ourselves. Feel free to leave a comment behind. Hope you have a nice day!! And don’t forget to hack your life away!!! Peace (00)

2 thoughts on “Hacker101 – Cody’s first blog

Leave a comment

Design a site like this with WordPress.com
Get started