- CTF Name: Petshop Pro
- Resource: Hacker101 CTF
- Difficulty: Easy
- Number of Flags: 3
Note::: NO, I won't be posting my found FLAGS, but I will be posting the methods I used.
Flag0
- Hint: Something looks out of place with checkout/It's always nice to get free stuff
- Acquired By: This flag was acquired by modifying the form input that gets submitted on the checkout page.
- If you inspect the checkout page you can see that there is a hidden field.
- By removing the
type="hidden"
from the page you are able to bring the input field to the page to edit. - Now that we have the field on the page it will look like this: - Once the input field is edited properly hit that check out button and poof. flag. - Thoughts/Learned: This exercise gets you to look at all parts of the page. There can sometimes be hidden fields that are doing things in the background that help users but also are vulnerable attack points. If this were a real site it would allow users to change the price they paid for an item and potentially get things for free or worse, use it as an injection point for something more malicious.
Flag1
- Hint: There must be a way to administer the app/Tools may help you find the entrypoint
- Acquired By:
- First, check out the URL. There is a pattern with the /cart. By using the /login you are able to get an admin login page.
- Now, by navigating to the /login page you are able to see the admin login. From here I attempted a few admin:admin and such pairs but no success. From this point I will a tool to try some username/password pairs.
- First I downloaded my own username list and tried it in my Community Edition of BurpSuite. Unfortunately, with the community edition it is a throttled project and based on cheating and looking up how someone else solved this, this would not be a good option as the username was someone in the 8000+. Using this method would take too long so I tried ZAP
- ZAP I am not as familiar with so this took some playing. First I tried a simple attack but that didn't produce anything. I did not modify anything with this because I wanted to see what it would do on its own... which was nothing.
- Now I tried the ZAP fuzzer and I was not able to get it to run on the first try but after some tweaking the words that would be tried for the username and password, I was. However, the username and password rotate, so I needed to set this up to run and let it do its thing.. Let me tell you, this takes so long. I attempted this a few times with different lists but nothing produced to be anything useful.
- Time for a new approach. Hydra. Hydra is a password cracking tool. This again took some tweaking but let me show the main part of the script...
hydra -L rockyou.txt -p aaa 35.xxx.xxx.xxx http-post-form "/73fxxxxxxx/login:username=^USER^&password=^PASS^:Incorrect password"
Here Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text “Incorrect username”. After trying a few lists with this I was able to product a username. - After acquiring a username switch up some of the script to use that username and now test for the password.
hydra -l name-you-found -P passwords.txt 35.xxx.xxx.xxx http-post-form "/73fxxxxxxx/login:username=^USER^&password=^PASS^:Incorrect password".
This one is taking longer than the names soooo now I wait. - Once the username and password have both been cracked you can login and see the flag right there.
- Thoughts/Learned: This lab was... a test of patience. Choosing the wrong list will waste a lot of time. It might be worth testing for common usernames and passwords but it is a tedious task. I'm glad I learned more about Hydra and ZAP fuzzer though.
Flag2
- Hint: Always test every input. Bugs don't always appear in a place where the data is entered
- Acquired By:
This flag you will need to be logged in as.
- First thing to do it test all of the inputs. I ran around before logging in and put
<img src=x onerror=alert(1)>
int anything I could. I did get a lot of alert boxes but none that produced a code. - Once you get some login creds try this again. Once you get an admin access there are more input points for each item for purchase.
- Choose your favorite picture and edit it. This will show you a few options. As you can see, I chose the cat. Now save it. You might get an error so try to remove one of the image error scripts and try saving again.
- Now that it is saved, add that item to your cart and go view your cart for the flag.
- First thing to do it test all of the inputs. I ran around before logging in and put
- Thoughts/Learned: This one was a tad tricky because it wasn't clear that it's goal was to be logged in. Oh well. that's how this goes sometimes. You try everything and then change something and then try everything again. patience!!!
Final Thoughts
This CTF was difficult for a lot of reasons. The most annoying reason was the rotating credentials. I have yet to see a CTF that does this so it was a new thing for me. It did get me more used to using ZAP and Hydra so that was overall great.
Top comments (11)
Please, be aware that post has mistake in hydra command: when you first try to get correct username you want to check for "Invalid username" error, not "Invalid password". Only when you will have username you should launch hydra with "Invalid password" error check.
Hope that helps!
That's interesting because it worked for me.... I was under the impression that the command "hydra -L rockyou.txt -p aaa 35.xxx.xxx.xxx http-post-form "/73fxxxxxxx/login:username=^USER^&password=^PASS^:Incorrect password" " was using the rockyou.txt for the usernames and waiting for the error to change to "incorrect password" to tell me that it was the correct username... no??
You need to use an error message which isn't on the page when it finds the right username. In this case, the login page will display the message "Invalid username" until you find the right one, which will then change to "Invalid password". So you want Hydra to know that it succeeds when the "Invalid username" is no longer displayed.
Thanks for the great post!
Where do you get the /73fxxxxxxx from?
Hello, i think you can easily found flag2 without sign in.
i notice that after scanning the web directories with dirscan, and then found /edit page.
first, i try to open that directories, but i got an 400 reply. then i think.. "how if i provide an id on the url?" so, the web url now look like ip/edit?id=idhere.
then i search for possible id.. so i going to inspect element and found id 0 for cat, and id 1 for puppy.
then i put the id to the url that i mentioned before.
the url now look like this ip/edit?id=0
then voila..!! i entered the edit pages without being administrator.
on that pages, i tried to entered some xss payload, but nothing happend :D. so i came to this writeup and try the payload.. and it's work!!
sorry for my bad english :(
and thank you for this writeup, i very like it!
Hey bro, I just wanted to tell you that /edit/id=0 OR /edit/id=1 works for flag2.
change the name parameter to "" and keep all the same(I also change the price to -ve like -1.0 or -2.0) I my case works for me,save the changes now.
I added that item to my cart.
Go to checkout now, and here is your Flag2.
Hello, thank you very much for the writeup!
For Flag1, what wordlist did you use for usernames?
I usually use github.com/danielmiessler/SecLists
I run hydra 5 times and all found passwords not work. Anybody face this problem ?
Flag 1 use turbo intruder is OK.