Lawful Evil (lawful_evil) wrote,
Lawful Evil

Hackering via HackerOne CTF

Well, I've been doing CNO dev for a while but I've never really gotten into CTF stuff.

So.. hacker one has a CTF.

Level : Trivial
Some mostly blank page. view source in chrome. I hope these aren't browser dependent. Anyway.. it loads a boring background image and has some dire warning about getting stuck. I try to navigate to other resources. I try to view the image separately incase its so huge it has stuff off the edge or has text imbedded in the jpeg. That is where the flag is. Ok. Pretty easy.

Level : Easy, Micro CMS v1
A series of pages. There is a main page with a listing of sub page titles. There is the option to view a page or create a new page. When on a page you can edit the title and body.

I create a couple pages and notice the page number is discontinuous. I manually load a couple of the missing pages and eventually stumble upon one that is different and A flag is there. This challenge has 4 flags. Problem is sorting out where each might be.

Moving on, I edit a page a bit and notice script tags get removed/scrubbed. It also supports some sort of markdown. I eventually manage some image tag XSS and get the second flag.

The third flag is XSS in the title that then gets executed on the main page in the page listing. Ok, 3/4 down.

The last flag takes quite a bit of bumbling around in the wrong area. Even with the hints, I glossed over the area with the flag but totally missed it for hours. But, I was so close, I'm sort of angry it took that long. Its a type mismatch error thing in the URL.
Tags: challenges, cno, ctf, micro-cms, xss cybersecurity

  • HackerOne CTF- Thermostat

    I wasn't sure what to expect with this one. The Thermostat. Android CTF... I didn't have a readily accessible android device... so initially…

  • HackerOne CTF Petshop Pro

    Easy and straightforward shopping. A couple items you can add to a cart and checkout. Playing with the cart a bit, we see that the cart/checkout…

  • HackerOne CTF Postbook

    Postbook... 7 flags at 4 points each. The page looks like it can have a post timeline for posts you create, a way to sign in, sign up, etc. After…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.