HackerOne Hacker101 CTF Micro-CMS v1 Writeup
Date Published: 2026-06-05
- Difficulty: Easy
- Skills: Web
- Flags: 4
This target is a simple web app showing a list of notes, and a link to create a new one. The notes support markdown as well.
Note: I wrote this up a while after finding all the flags, so I'm unsure which order I found them in, so these may not reflect the flag order on the actual CTF
Flag 1: IDOR
When you edit or view pages, you can see each note is given an incremental integer for it's ID. The existing notes are numbers 1 and 2, and when you create a new one, it's 11. Checking the numbers from 3 to 10, most respond with a not found message, but 4 responds with a permission error message, implying that it exists:
You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.
Going directly to the edit page (/page/edit/4) for number 4 doesn't check permissions and displays the contents, which includes the flag:
Flag 2: Reflected XSS
I next decided to test if the title or body was vulnerable to XSS. By placing the following payload into the title:
<script>alert(“XSS”)</script>
The index page alerts the flag:
Flag 3: SQL Injection
Next I decided to try SQL injection. I added a single quote in both the body and the title of a post, which didn't work. I then decided to add it to the URL instead of a number for an edit page like so: /page/edit/', which resulted in a flag displayed on the page:
Flag 4: Stored XSS
Looking at the existing notes, there is one for testing markdown which includes an image and a button. I edited the button to have an on click XSS like so:
<button onclick="alert('XSS')">Some button</button>
Saving it and clicking the button on the page didn't show the flag (though did show the onclick alert). Viewing the source did, however, show that the flag was added as an attribute to the button:
This was a fun little intro to web hacking! I'm excited to continue on with the rest of the Hacker101 challenges!