Hacker101 CTF | Postbook (easy) Walkthrough

Hi Fellas! I recently started in CTFs and bug bounties.

CTF Name: Postbook
Platform : ctf.hacker101.com
No. of Flags : 7
Difficulty : Easy

I’m writing this in the order I did it. So, flags may not be in the order.

Flag 0

I took my time to explore the web app and make myself familiar with the interface and its functionality. There are hints provided for every flag in the hacker101 portal.
Hint: The person with username “user” has a very easy password…
So, I intercepted the signin request using burp suite and executed a bruteforce attack on the signin functionality with some very common passwords through burp intruder. Got a hit and used it to login. There was the Flag0.

Flag 2

Hint: Try viewing your own post and then see if you can change the ID
I, then created a few new accounts with various credentials using signup feature. It doesn’t seem to have any kind of validation mechanism.
So, I logged in normally and while creating a post, there was a field named ‘user_id’ hidden. Change its value and submit the request. Voila! You can create a post with another user privileges AND you get your Flag2.

Flag 4

Then, created a post normally using the functionality as the App allows. There were two options associated with it: ‘Edit’ and ‘Delete’.
Intercepted the edit request through Burp. It has a parameter named ‘id’ in its URI. Changing it will allow you to edit any post present on the platform, regardless of the authentication. There, you get the Flag4.

Tried the same with ‘Delete’ option. But, the id wasn’t a numerical identifier. It seemed a bit complex and so, I checked for a hint.

Flag 1

Hint: Try viewing your own post and then see if you can change the ID
I tried to view a post and intercepted its request. Similar to ‘edit’ functionality, it also has an ‘id’ parameter for us to mess with. After trying a few numbers, you can see that it enables you to see even the private posts. That was what we were looking for. You get your Flag1.

Flag 3

Hint: 189 * 5
Hint for this flag seemed a bit odd and the product actually rang no bells in my mind. After thinking for a while, got an idea to inject it as a parameter. I tried injecting it while viewing a post. Voila! It worked. There’s a mystery post with the Flag3.

Two flags remaining and I’ve struggled to figure out the logic behind these as the hints for these didn’t reveal much about their functionality.

Flag 5

Hint: The cookie allows you to stay signed in. Can you figure out how they work so you can sign in to user with ID 1?

I got the cookie for my session and its a string of length 32(128 bits). That’s it. I didn’t get how to tamper with it and tried changing it randomly but was of no use. I was being logged out as soon as an invalid cookie is submitted.

So, I googled “Cookie tampering Hacker101” and got a video of 5min. Watched it and checked it if it was a hex. Tried to decode it using online hex decoder, but it decoded into some gibberish. So, I tried to see if it’s a hash using online hex decryptors and got a hit. It was a hash of MD5. It decrypted to a number (maybe, used to identify the id of user).

So, I fired up PHP in interactive mode in linux terminal using “php-a” command. Then, calculated the hash of all the numbers from 1-10 using the command “echo md5(number);”. You can do this by using online hash encoders if you’re not using Linux.

Then, I clicked on ‘Settings’ option and submitted the md5 hash corresponding to number 1 as cookie. Yeah! you got the username and password in the settings page. Login with those credentials and you get your Flag5.

Flag 6

The parameter corresponding to delete option was similar to the cookie. It was also a MD5 hash. So, tried the same process with this and changed it. Deleted a post that doesn’t belong to the signed in user. There, you get your Flag6.

Bloopers (unsuccessful attempts/undiscovered vulnerabilities):

>> As the signup functionality doesn’t seem to have much of a serious validation mechanism, and also the username entered during signup is visible in the profile section after logging in, I tried for an XSS vulnerability there. Entered a random password and the username as “<script>alert(1);</script>”. But, the “submit query” button wasn’t highlighted. So, inspect the button and there’s a field named “disabled” inside the “button” tag. erase it and the button is activated. Signed up and viewed the profile tab, but the attempt was unsuccessful as it displayed the string without executing it.

>>There’s a business logic error associated with the web app. Because, validation mechanism were assigned in place for username while signing up but no such mechanisms were present when you want to change the username through the settings page.

>> You can view the profile of any user using “My Profile” functionality and changing the alphabet ‘id’ associated with it, in its request.

>> HTML injection is possible in settings page while changing username and password. It may or may not be dangerous depending on your creativity.

Cyber Security Enthusiast | Passionate about Electronics | Programmer | Recently got into bug bounties and CTFs