(WARNING: ongoing and many outright spoilers!)
Some notes on solving this set of Capture The Flag (CTF) challenges online from Hacker 101 to get more knowledge.
As before, this guide is both my working notes and goes challenge by challenge, this time in order.
Trivial (1 / flag)
Flag 1 of 1
Flag is in the referenced PNG file. Pretty simple to find using a source view of the web page or F12 for the Developer’s Tab in Firefox.
Easy (2 / flag)
Flag 1 of 4
This one was a little more tricky, as you would expect.
After some poking around, creating pages and two hints, I found that page/4 could not be read (403). But, just because it can’t be read doesn’t mean it can’t be edited. I used the edit/4 URL and found the flag in the included, original content. Nice.
Flag 3 of 4
I guess you don’t get to know which numbered flag you are looking for.
For flag 3, and in the end, after some hints and stumbling around, I created an XSS embedded in a new post and found the flag hidden in the related pop-up. I would not call this “easy”, but there you go. The code I based the XSS on:
<img src="http://url.to.file.which/not.exist" onerror=window.open("http://34.74.105.127","xss",'height=500,width=500');>Flag 2 of 4
Not 100% on how I go this one, but I basically used the code as above (Flag 3 of 4) in the body and subject of a new post, got a generic Nginx welcome page, and when returning to the index, a popup with a flag.
Flag 4 of 4
This flag turned out to the based on an SQL injection. As another poster noted on the interweb, there was no way to know there even was a database involved here, but the hints do say to try all injection types, including SQL.
In the end, the URL I used to get the flag was:
http://35.227.24.107/a0255779aa/page/edit/13'
…note the single quote. Going back “home” gave me the flag, and we move on.
Moderate
(3 / flag)
With authentication introduced to the mix, this required some help from another site on the intraweb.
The key was to submit a SQL injection in the username field with the password being set by that injection:
SELECT password FROM admins WHERE username = 'UNION SELECT "123" AS password from admins WHERE '1' = '1'
…once that was done, a new page show up titled ‘Private Page’. That’s where I found the first flag.