Hacker101 CTF | Postbook (easy) Walkthrough

Hi Fellas! I recently started in CTFs and bug bounties.

CTF Name: Postbook
Platform : ctf.hacker101.com
No. of Flags : 7
Difficulty : Easy

I’m writing this in the order I did it. So, flags may not be in the order.

Flag 0

Flag 2

Flag 4

Tried the same with ‘Delete’ option. But, the id wasn’t a numerical identifier. It seemed a bit complex and so, I checked for a hint.

Flag 1

Flag 3

Two flags remaining and I’ve struggled to figure out the logic behind these as the hints for these didn’t reveal much about their functionality.

Flag 5

I got the cookie for my session and its a string of length 32(128 bits). That’s it. I didn’t get how to tamper with it and tried changing it randomly but was of no use. I was being logged out as soon as an invalid cookie is submitted.

So, I googled “Cookie tampering Hacker101” and got a video of 5min. Watched it and checked it if it was a hex. Tried to decode it using online hex decoder, but it decoded into some gibberish. So, I tried to see if it’s a hash using online hex decryptors and got a hit. It was a hash of MD5. It decrypted to a number (maybe, used to identify the id of user).

So, I fired up PHP in interactive mode in linux terminal using “php-a” command. Then, calculated the hash of all the numbers from 1-10 using the command “echo md5(number);”. You can do this by using online hash encoders if you’re not using Linux.

Then, I clicked on ‘Settings’ option and submitted the md5 hash corresponding to number 1 as cookie. Yeah! you got the username and password in the settings page. Login with those credentials and you get your Flag5.

Flag 6

Bloopers (unsuccessful attempts/undiscovered vulnerabilities):

>>There’s a business logic error associated with the web app. Because, validation mechanism were assigned in place for username while signing up but no such mechanisms were present when you want to change the username through the settings page.

>> You can view the profile of any user using “My Profile” functionality and changing the alphabet ‘id’ associated with it, in its request.

>> HTML injection is possible in settings page while changing username and password. It may or may not be dangerous depending on your creativity.

Cyber Security Enthusiast | Passionate about Electronics | Programmer | Recently got into bug bounties and CTFs