L2 — Micro-CMS v2
>> Sudhanshu Chatterjee | Jul 17th ‘24
No. of Flags to Find : 3 | Skills Required : Web
Although it says moderate, it is definitely not moderate!
1. curl — Something That I didn’t Expect
So based on our basic observations, on running a directory enumeration(gobuster), we find few things such as,
- Editing page requires to BE an admin, not to be THE admin.
I made a curl request with -X (--request <method>) to one of the available pages to public user, and call it luck, or anything, a flag was revealed at the bottom. Don't forget to use -v. I don’t know, when I get tired, I start shooting random things, which is not the way, but like I said, I was tired!😅
curl -X POST <URL> -vIt has something to do with API call, which I don’t know much about yet, but if you’d like to, you can learn as well, because I AM, from Corey J. Ball’s book — Hacking APIs.
2. Boolean-Based Blind-Manual SQL Injection
Manual because it’s not automated, we try and inject the username parameter, but with a more complicated UNION query, as suggested in the hints.
This is the one where user needs to BE one of the admins, not THE admin!
Which, in any way, is not at all nice! To make things easy, here’s the final query, injected in username parameter:
admin' UNION SELECT 'abc' AS password FROM admins WHERE '1'='1and enter the value abc in password parameter.
Once you inject this payload, you are logged in, you get access to the 403 page, you get the flag!
But if you look at the response in the repeater for this request we made, you’ll see it hints that…
being logged in is ok, but finding real credentials is important too!
In a way, it’s true, isn’t it!? Credentials are key to more smoother hacking!
3. The final — Grabbing Creds using Sqlmap or Hydra
Oh, and before we start, the credentials are going to be different every time you attempt the CTF.
Well that was far more research oriented than practical. I just read some articles regarding the challenge where one of them suggested, if you remember the previous one, they took first names as usernames and passwords. No harm checking those out quickly, it's going to be automated anyways! Found a very common/uncommon names list on internet.
Ran hydra for brute-forcing. First checked for usernames, because the correct username gave different response to incorrect password. Found it!
Now use the correct username, and this time, change the failure response and run hydra again on the same first name list. Check the output showed and you are slapped with flag in the face!
This can also be done using Sqlmap, but in my case, it was not as fast as hydra.
After lots and lots of crawling on the internet, I found out that you can also use your intercepted login request in sqlmap for easier SQL Injection. Just takes more time than it should, at least in my case it did!
To proceed with sqlmap, intercept the login request with any credentials, then save that request in a file as .txt. It is one of the right-click options.
After that, run this command:
sudo sqlmap -r <saved-file>.txt --level=2 --dump-all --proxy="127.0.0.1:8080"--level: is just in case the scan requires a higher level.... "scan"! 😅--dump-all: to dump everything, all databases and tables--proxy: to mention your burp proxy. It's required, it won't connect to URL unless this is stated. Given is mine, you have to put according to what you have set-up.
Next comes the infernal test of patience for an eternity, and if successful in your case, it will give the results as well! The actual admin username and it’s password!
I know mine took like… FOREVER to do this! I tried the hydra later.
Next CTF >> L3 : L3 — Encrypted Pastebin > Coming Soon…
Hope you enjoyed reading my write-up, and if you did, then do share my story among your peers and friends as much as you can. Let’s spread this knowledge as much as possible.
Be a part of my mission to spread knowledge to all those who need it.
