postbook

Author: testert1ng

README.md

@@ -11,10 +11,12 @@
 | Trivial (1 / flag)  | [A little something to get you started][2] | Web    | 1 / 1      |
 | Easy (2 / flag)     | [Micro-CMS v1][3]                          | Web    | 4 / 4      |
 | Moderate (3 / flag) | [Micro-CMS v2][5]                          | Web    | 3 / 3      |
+| Easy (4 / flag)     | [Postbook][6]                              | Web    | 7 / 7      |
 | Moderate (5 / flag) | [TempImage][4]                             | Web    | 2 / 2      |
 
 [1]: https://ctf.hacker101.com/ctf
 [2]: ./a_little_something_to_get_you_started
 [3]: ./micro-cms_v1
 [4]: ./tempimage
-[5]: ./micro-cms_v2
+[5]: ./micro-cms_v2
+[6]: ./postbook

postbook/README.md

@@ -0,0 +1,29 @@
+# Postbook
+
+## [Flag0](./flag0) -- Found
+
+- The person with username "user" has a very easy password...
+
+## [Flag1](./flag1) -- Found
+
+- Try viewing your own post and then see if you can change the ID
+
+## [Flag2](./flag2) -- Found
+
+- You should definitely use "Inspect Element" on the form when creating a new post
+
+## [Flag3](./flag3) -- Found
+
+- 189 * 5
+
+## [Flag4](./flag4) -- Found
+
+- You can edit your own posts, what about someone else's?
+
+## [Flag5](./flag5) -- Found
+
+- The cookie allows you to stay signed in. Can you figure out how they work so you can sign in to user with ID 1?
+
+## [Flag6](./flag6) -- Found
+
+- Deleting a post seems to take an ID that is not a number. Can you figure out what it is?

postbook/flag0/README.md

@@ -0,0 +1,20 @@
+# Postbook - FLAG0
+
+## 0x00 Index
+
+![](./imgs/index.jpg)
+
+## 0x01 Log In
+
+Try weak password
+
+```
+username: user
+password: password
+```
+
+![](./imgs/login.jpg)
+
+## 0x02 FLAG
+
+![](./imgs/flag.jpg)

postbook/flag0/imgs/flag.jpg

@@ -0,0 +1,15 @@
+# Postbook - FLAG1
+
+## 0x00 View Post
+
+http://127.0.0.1/1234567890/index.php?page=view.php&id=1
+
+![](./imgs/post.jpg)
+
+## 0x01 FLAG
+
+The id seems can be change.
+
+http://127.0.0.1/1234567890/index.php?page=view.php&id=2
+
+![](./imgs/flag.jpg)

postbook/flag0/imgs/index.jpg

@@ -0,0 +1,15 @@
+# Postbook - FLAG2
+
+## 0x00 New Post
+
+![](./imgs/new_post.jpg)
+
+There is a hidden value shows **user_id = 2**.
+
+Change it to 1 which may post as other people.
+
+![](./imgs/test_post.jpg)
+
+## 0x01 FLAG
+
+![](./imgs/flag.jpg)

postbook/flag0/imgs/login.jpg

@@ -0,0 +1,15 @@
+# Postbook - FLAG3
+
+## 0x00 View Post
+
+http://127.0.0.1/1234567890/index.php?page=view.php&id=1
+
+![](./imgs/post.jpg)
+
+## 0x01 FLAG
+
+The id seems can be change to very large value (189 * 5 = 945).
+
+http://127.0.0.1/1234567890/index.php?page=view.php&id=945
+
+![](./imgs/flag.jpg)

postbook/flag1/README.md

@@ -0,0 +1,21 @@
+# Postbook - FLAG4
+
+## 0x00 Edit Post
+
+http://127.0.0.1/1234567890/index.php?page=edit.php&id=3
+
+![](./imgs/edit.jpg)
+
+## 0x01 Edit Others Post
+
+The id seems can be change.
+
+http://127.0.0.1/1234567890/index.php?page=edit.php&id=1
+
+![](./imgs/edit_others.jpg)
+
+## 0x02 FLAG
+
+Save the edit result. Get the flag.
+
+![](./imgs/flag.jpg)

postbook/flag1/imgs/flag.jpg

@@ -0,0 +1,31 @@
+# Postbook - FLAG5
+
+## 0x00 Cookie
+
+user cookie
+
+```
+id: "c81e728d9d4c2f636f067f89cc14862c"
+```
+
+Check at [cmd5.com][1]. It is just md5 value of 2.
+
+![](./imgs/cookie.jpg)
+
+## 0x01 Admin Cookie
+
+md5(1)
+
+```
+id: "c4ca4238a0b923820dcc509a6f75849b"
+```
+
+## 0x02 FLAG
+
+Successfully login as admin.
+
+![](./imgs/flag.jpg)
+
+[1]: https://www.cmd5.com/
+
+

postbook/flag1/imgs/post.jpg

@@ -0,0 +1,21 @@
+# Postbook - FLAG6
+
+## 0x00 Delet Post
+
+http://127.0.0.1/1234567890/index.php?page=delete.php&id=eccbc87e4b5ce2fe28308fd9f2a7baf3
+
+Where **id=eccbc87e4b5ce2fe28308fd9f2a7baf3** is also [md5][1] value of post id.
+
+![](./imgs/delete.jpg)
+
+## 0x01 Delete Others
+
+http://127.0.0.1/1234567890/index.php?page=delete.php&id=c4ca4238a0b923820dcc509a6f75849b
+
+## 0x02 FLAG
+
+![](./imgs/flag.jpg)
+
+[1]: https://www.cmd5.com/
+
+