# Linxz' Blog

## Still trying to think of something witty, I will let you know once I get something...

22 November 2019 | 4 minutes to read

Tags: web

# Introduction

I’ve been solving the Hacker101 Web Challenges recently for A. private invites and B. just to practice my web-app pen-testing skills since I am moving more into web since doing the OSCP. I thought I’d make some writeups of all the challenges I’ve solved since it’s a good learning experience for me & others.

## Micro-CMS v1

We’ll start with Micro-CMS 1 and then we will continue on to Micro-CMS 2 in the same post. Micro-CMS 1 is made up of 4 flags, it’s a relatively easy challenge but nonetheless we’ll go through how I solved it.

### Flag0

When we first open the application we see there’s already two pages “Testing” and “Markdown Test” we also see a link which allows us to create a new page, since the two testing pages don’t seem to have anything we will create a new page. Once we create the page and fill it with whatever we like, we can view the page and we notice that the url for the page is /page/9.

TODO: Insert Image here

If we check the pageID for the other two pages they are /page/1 and /page/2. This would imply that somewhere in between there are more pages. So now we are going to try and view pages 3, 4, 5, 6, 7 & 8 - we could script this and check the response but since there aren’t many we will just do it manually. When visitng pages 3, 4, 5, 6 & 8 we get a 404 error, so we know that’s not what we are looking for.

TODO: Insert Image here

However, when we visit page 7 we get a 403 error, which of course is a Forbidden, so we now can assume that it is page 7 we want to access. When we visit a post there is a hyperlink for us to be able to edit the page, so what we will do is go to the page we just created, press edit and now we will change the /page/edit/9 to /page/edit/7 and surprise, surprise - we get the flag! Easy, right?

### Flag1

If we visit /page/1 let’s try and simply put a ' at the end so the link becomes /page/1' as you can see we unfortunately just get a 404 error.

TODO: Insert Image here

How about we try and use the /page/edit endpoint from before and do the same. So the link we visit now becomes /page/edit/1' and there we go the SQLi worked and we got the flag.

### Flag2

We still have not messed around with injection attacks on the post input boxes such as title & contents. Lets try a few things there, the first thing that should come to mind is XSS, let’s try and put an XSS payload in both the title & the contents and see what happens.

Let’s edit the first page and change the title of the post to <script>alert('xss')</script> and also put the same in the contents of the page and see what happens. When we save it & view it in the page, nothing happens let’s however try going back to the home page and when we go back we should get the next flag.

TODO: Insert Image here

### Flag3

Now that we know XSS works in the application, let’s try an XSS in the 2nd post that was already on the application, again we’re going to try an XSS but this time we are going to use an XSS that happens on a JS event, in this case I’m just going to create a button and then use onclick to trigger the XSS. So in the body of the page we are going to write <button onclick=alert(1)>Some Button</button> and hit save.

TODO: Insert Image here

Now we’re going to click the button and the alert should appear but… No flag! Let’s look in the source of the page to see what happened since we know the XSS does work. If we check the source we actually see that the flag gets put inside of our button we created, nice!