Micro CMS V1
CHALLENGE HINT
Flag0
After creating new page, we can notice our ID on URL. Hmmm, something wrong here, we can click on 2 provided pages and notice that their ID are 1 and 2, but our new page got ID=7, so we need to run from 3 to 6 to find anything interesting. 
After analyzing, we can see ID=5 is Forbidden. Now try to access it but with edit page. 
Flag1
We can get the first flag. Beside that, we can our ID is passed directly to URL, we should try SQL injection here by add ' to URL. 
Flag2
We can use hint from Flag2, try some XSS on title, and then go back to HOME
1
<script>alert(1)(/script)
Flag3
Go to edit page we can notice the last line Markdown is supported, but scripts are not and from the hint of the last flag, we try some XSS but not the <script this time.
1
<img src=x onerror=alert(2)>
We can see the alert pop up, but still don’t see any flag. Right click to view source and we get the last flag.