What

This is a small PHP site with private/public posts.

Home page

Difficulty: Easy

Flag0

Hint0: The person with username "user" has a very easy password

Check 500-worst-passwords.txt in danielmiessler's SecLists and the second password will give you the first FLAG.

No brute forcing needed.

Sign in on /index.php?page=sign_in.php and use the credentials user and password.

Sign in

FLAG

Flag1

Hint0: Try viewing your own post and then see if you can change the ID

Open My profile.

My profile

Check the address bar, what is id=c? It is our user ID. Let’s play with that.

id=a

id=b

Bingo, id=b shows us admin user’s profile with a private blog post on page /index.php?page=view.php&id=2

Let’s open it and collect a FLAG.

FLAG1

Flag2

Hint0: You should definitely use "Inspect Element" on the form when creating a new post

Click on Write a new post link to open page /index.php?page=create.php.

New post

Check the source of the page with the form. Notice the hidden input with name="user_id" value="2" hard-coded fields.

Form source

Let’s see how our form works in Burp!

First test is to create a public post:

T1 public form

T1 public Burp

Parameters passed to create.php are:

title=test1title&body=test1content&user_id=2

T1 post created

Create a private post too:

T2 post form

T2 post Burp

Parameters are now:

title=test2title&body=test2content&private=on&user_id=2

T2 post created

In Burp, we can simply modify POST request parameters before sending to the server. Let’s create another post we will tamper a bit:)

T3 post form

T3 post Burp before edit

For profile ID, the page used letters. User ID for user was c, which is the third letter. User ID of admin was b, which is the second.

In the request, we see numbers as user_id. 2 is the third number (0, 1, 2), so how about trying user_id=1?

Edit user_id=2 to user_id=1 in the intercepted POST request and hit Forward.

T3 post Burp edited

Just another FLAG!

T3 post created - FLAG

Flag3

Hint0: 189 * 5

So far, our known pages are:

Site map

Functional pages:

  • account.php
  • create.php
  • delete.php
  • edit.php
  • profile.php
  • sign_in.php
  • sign_out.php
  • view.php

Posts can be read on view.php&id=1..6

Common question: What else is there?!

Remember, posts are created on pages indexed by numbers. The hint contains numbers.

At this point to speculate that we will find our FLAG on /index.php?page=view.php&id=945 might be the quick solution.

FLAG = 945

I’ve struggled ~2 hours with ffuf to FUZZ id parameter in the request, without luck. I’ll try that later.

There may be a bunch of wordlists containing numbers only, but, to save time, let’s create our own containing numbers from 0 to 1000. Find more here or here.

#!/usr/bin/python3
df=open('numbers.txt','w')
for i in range(0,1000):
  df.write(str(i))
  df.write('\n')
df.close()

Open a text editor, insert above and save as numbers.py.

Add permission for execution with

chmod +x numbers.py

and run with

python3 numbers.py

I beg your pardon for a dirty little python script above, not the most elegant solution. But, once my supervisor said: “a working program is better today, than a perfect one tomorrow” :)

I gave a shot for Burp Intruder, just for the sake of it..

Enable Intercept on Proxy tab and refresh page with the first post. Right click on the request and select Send to Intruder.

Send to Intruder

On the Positions tab, clear all payload positions with Clear § on the right and select only the value of id parameter (here: 1). Click Add §.

Select payload position

Burp Suite Community Edition is free, but Intruder is extremely slow due to throttling. So, I’ve created a shorter wordlist, containing only [1,2,3,4,5,6,7,8,9,945].

Switch to Payloads tab and load a wordlist under Payload Options [Simple list] using the Load… button.

Load wordlist

We’re all set, hit Start attack on the top right corner.

Intruder results

Great, at least that worked. Check Request 1 where Payload is 1.

Response 1 - raw

A bit ugly, how about switching to Render tab? Much better.

If you check the results, you’ll see that all the pages with Post not found response will have the same 1500 length.

Post not found - rendered

Okay, get the FLAG by checking Request 10 with Payload 945:

Get the FLAG

Flag4

Hint0: You can edit your own posts, what about someone else’s?

After you logon with user / password credentials from Flag1, you can see two posts on the Home page.

One of them can be edited , the other’s author is admin. Open the Hello everyone! post for view.

View post 3

The id=3 at the end of the URL identifies the post. Get back to Home page and open the other post by admin.

View post 1

It has id=1. Let’s open the post Hello everyone! for editing and change the id from 3 to 1 (and hit enter):

Edit post 3

Edit post 1

Change something and then Save post.

Modify post 1

A new FLAG:

FLAG

Flag5

We already know from Flag1, that we can view admin’s profile by changing id=c to id=b.

Logged in as user, open developer tools, switch to Application tab and select the website’s cookies on the left, under Storage.

Cookies user

Our user has c81e728d9d4c2f636f067f89cc14862c as id. It’s a hash, we need to decrypt it. I’ve used this page for the task, ther result is 2. Remember Flag2? This is our user_id.

Decrypt id=2

We can edit cookie values with the browser’s developer tools, but first we neew the md5 hash value of 1. Our friend is the terminal.

echo -n 1|md5sum

md5sum id=1

Sign out from the page. Cookies will be flushed.

Empty cookies

Right-click on the area where cookies would be listed and select Add new

Add new cookie

Use id as Name and c4ca4238a0b923820dcc509a6f75849b as value.

Add new cookie 2

Click Home and you can see your new FLAG, logged in as admin.

FLAG

Admin profile

We can also use Burp to intercept the requests and tamper cookies before forwarding it.

Flag6

Hint0: Deleting a post seems to take an ID that is not a number. Can you figure out what it is?

Deleting a post will pass the post id to /index.php?page=delete.php page as a hashed value.

Delete post id hash

We can guess from the same post’s edit link in the above line (/index.php?page=edit.php&id=4), that the hashed value will be close to 4, but to be sure, I’ve checked it on this page:

Delete post id decrypted

Let’s delete Admin’s Hello world post, which has an id=1. Using the command from previous Flag:

echo -n 1|md5sum

Our URL will be:

/index.php?page=delete.php&id=c4ca4238a0b923820dcc509a6f75849b

… resulting the last FLAG!

FLAG6

Takeaway(s)

  • Look for easy to guess passwords
  • Check if you can tamper with input parameters
  • Broken authentication (can access other user’s private content)
  • Use automated scanning to check missed pages (due to high page id or other weird stuff)
  • Weak encryption (md5) used in
    • cookie for authentication
    • id to obfuscate link