Web [70 pts]
This challenge, as hinted by its name, involves an XXE attack. The goal, as described in the challenge, is to find the flag.txt file in the root directory of the PHP server.
Resource: XXE docs
When we first visit the site, our landing page looks like this:
We assume that it takes an xml payload eventually, but when we test LFI on the query, we get this result:
(This is an error page, named error.xml)
After messing around some more, we see that the PHP function calls loadXML() and expects a string: Resource: loadxml() docs
From these results, it looks like they do visit our webhook site. The only thing now is to find a way to include our xml payload that will be available in the url. My first instinct was to find a file upload site that can be shared (filebin).
Using the XML payload:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///flag.txt" >]> <root><data>&xxe;</data></root>
We can upload this using filebin and include the entire website in the query, giving us our flag: