Cody’s First Blog

“Cody’s First Blog” is a room with a moderate difficulty level and three flags to find.

NOTE: Keep in mind that the flags are numbered in the order in which I completed them (some may match, while others may not).

Flag 1

At first glance, it appears to be another simple page with no apparent links. However, after pressing F12, I noticed a very intriguing comment, but I’ll stay on this page for a little longer.

The author of the post beautifully revealed how their blog works. If I’m not mistaken, we can utilize the comments field for some devious purposes. I’ll use a straightforward PHP function for that.

This simple little script provided us with an easy flag.

Flag 2

Now, going back to the link in the comment, it turns out to be a link to the admin login.

I tried various combinations of popular weak passwords, but none of them worked. However, my attention was drawn to the URL containing the word “auth”. I wonder if removing it will allow me to bypass the login prompt.

And… it worked like a charm!

Flag 3

The third flag was much harder to find than the previous two. To accomplish this, I used the path traversal method to see how the page looks from the backend perspective. Indeed, adding the local server address “http://localhost/index" to the “page” variable did the trick.

Path traversing, also known as directory traversal or directory climbing, is a type of security vulnerability that occurs when a web application allows users to access files or directories outside the intended scope. In other words, it is a method used by attackers to navigate through the file system of a server and access files or directories that should be restricted from public access.

By leveraging the previously noticed PHP injection vulnerability, I decided to view the contents of the “index.php” file on the local disk. To achieve this, I had to go back to the frontend version and enter the code that will be executed.

<?php echo readfile("index.php")?>

This should do the trick!

An essential thing is to perform an “approve comment” action from the admin panel; otherwise, the machine code won’t pass.

After a little searching, I found an interesting hidden comment containing the contents of the “index.php” file along with the flag.

In summary, the room was, in my opinion, not as difficult as other rooms with the same difficulty level, but it doesn’t mean that I didn’t have to think through some challenges. Overall, as always, the challenge brought me a lot of entertainment.