Quick Note: While I was completing this challenge and taking notes I wasn’t paying attention to the actual flag numbers / hints. So If you’re looking at the flag hints then it may be referring to a different flag than I am.
Micro-CMSv2 was labeled “Moderate” so I will save that for another time. I wanted to see if I can complete the easy challenges prior to moving up.
This one is called Postbook…
Oh okay, makes sense now.
Flag Zero
I guess we should sign up!
This brings us to a page with an interesting password policy:
Before I sign up, let’s run a quick brute force attack and see what we get.
I’ll be using the ever popular fasttrack.txt wordlist for passwords, and then just trying common usernames.
fasttrack.txt - https://github.com/drtychai/wordlists/blob/master/fasttrack.txt
With intercept on, just type “test” or something else in the username and password fields, and select enter to capture the request.
From here we need to send the request to the Intruder tool and add both fields as payload markers (just highlight and click ‘add’). Should look like this:
Change the attack type to “Cluster Bomb” and then head over to the Payloads tab.
Load fasttrack.txt into payload set 2, and then add a few common or likely usernames to payload set 1 (being a CTF, just keep it simple).
Start the attack!
A different response code comes back for “user” + “password”
Since 302 is a redirect, we can assume that this account is valid. All other accounts came back with this response:
Let’s give these credentials a go.
Bingo! We got a flag. Probably could have just guessed that login…
Flag One
Now that we are logged in, we can see posts from both a user account (us at the moment) and an admin account. So we know that “admin” is a valid username as well.
I still have Burp running the brute force attack in the background, we’ll give it some time as we look at other things.
If you click on either of the posts then you’ll find an ID number in the URL:
Let’s see what happens if we change this. ID 1 is the admin post, ID 3 is obviously the user post.
What is ID 2?
There we go! A “hidden” post and another flag.
Flag Two
Now, we know “admin” is another user, but the fasttrack.txt wordlist doesn’t appear to be working to brute force that account.
We can see his post if we simply navigate to the correct URL using the post ID. Let’s check and see if we can edit a post.
First, edit the last user post that was created under the account we already have access to (do this with dev tools open, and take a look at the “inspect element” or “sources” tabs):
This may show up in the address bar, but i wasn’t paying attention at the time.
Now that we know the URL format for editing a post, let’s try cycling through post numbers and see if we can edit one that we don’t own.
Another one!
Flag Three
If we look closely at the source for the create.php page, you’ll notice that user ID’s are included when creating a post. Let’s see if we can create a post for another user based on this ID.
Using Burp we can intercept this when making a post. Sure enough, the user ID is included here. Let’s send this to the Repeater tool and see if we can post on behalf of another user.
Change the ID to another user, click submit…and…..
FLAG!
Flag Four
This is the point where I realized I have numbered these flags incorrectly.
The hint for this one is listed under Flag Three.
Hint: — 189 * 5
I was assuming that the answer to this (945) had some significance, but I honestly had absolutely no idea what they intended we do with that number. So naturally, I Googled it.
Turns out this is just a post number. Open a post and then change the post ID in the URL to 945. This gets us a flag!
Flag Five
The hint for this one is, “the cookie allows you to stay signed in. Can you figure out how they work so you can sign in to user with ID 1?”
So, session hijacking. Let’s give it a go.
This requires an add-on or some tool that will allow you to edit cookies. I’m not going to recommend a specific one because I have yet to find one that works consistently. Install add-ons with caution though!
It wants us to log in with the user ID 1. CyberChef gives us the option to get the MD5 hash for any input:
Taking this, we can use a cookie editor to hopefully gain access to a login session for that account:
Refresh the page and find the flag!
Flag Six
The hint for this one says, “deleting a post seems to take an ID that is not a number. Can you figure out what it is?”
We’re already logged in from the last flag, so let’s delete a post and see what we can find!
When you delete a post you get an ID that appears to be another MD5 hash.
Decrypting this hash gives us a number that I believe is the post ID.
Create a post or use a post that is already available and grab the ID number. I’ll be using post 2 since it is already there. Head over to CyberChef and get the MD5 for the post number you want to delete, and then replace the ID in the URL we found with the ID of the post you want to delete.
NOTE: You need to delete a post that belongs to another user in order to get the flag.
And there we have it! All of the flags for Postbook have been found.
