Web [70 pts]

This challenge, as hinted by its name, involves an XXE attack. The goal, as described in the challenge, is to find the flag.txt file in the root directory of the PHP server.

Resource: XXE docs

Step 1

When we first visit the site, our landing page looks like this:

We assume that it takes an xml payload eventually, but when we test LFI on the query, we get this result:

(This is an error page, named error.xml)

Step 2

After messing around some more, we see that the PHP function calls loadXML() and expects a string: Resource: loadxml() docs

Step 3

We now attempt to try RFI. First, we check to see if their server visits our “website.” We test this with a webhooks site from webhooks.site.

From these results, it looks like they do visit our webhook site. The only thing now is to find a way to include our xml payload that will be available in the url. My first instinct was to find a file upload site that can be shared (filebin).

Using the XML payload:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///flag.txt" >]>

We can upload this using filebin and include the entire website in the query, giving us our flag:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s