PicoCTF 2023
Last updated
Last updated
I encountered this one in PicoGym. Even though it's an easy one that's been covered before, my solution doesn't require .
Web Exploitation (category) : SOAP (title): 100 (pts) :
This challenge hid the flag in the /etc/passwd file of a Linux web server. To gain access, it suggests we exploit a XXE vulnerability on its website. Viewing webpages is mostly a matter of sending a Request via a webpage and getting a Response from the web server. Web browsers can show you these . Kali has Firefox by default, so I'll use that. My Process: First, google SOAP and XXE... "SOAP is a messaging protocol popular in web service APIs. SOAP uses messages in the cross-platform XML (extensible markup language) format, bridging the gaps between otherwise-incompatible systems and servers. Originally developed by Microsoft, SOAP is now an open web services standard. Unlike REST (representational state transfer), which can use programming languages like JSON and various protocols, SOAP is limited to sending XML over HTTP or SMTP. As one of the oldest methods for exchanging data on the internet, SOAP has developed a robust set of security standards over the years." []
This is a lot of words to say that a site using SOAP for sending/receiving data can be susceptible to an XXE attack. And the way in, is to talk to it with XML. Next, inspect the site by looking at its assets and behavior.
Right-click "Inspect" while on the site to open dev tools > "Debugger" tab > see two JavaScript files.
Go to "Network" tab > click a "Details" button on the site and you'll see a POST request in the dev tools initiated by one of those JS files (i.e. "detailsCheck.js)" > click that POST request to view all details > "Request" tab will show the XML "payload" with "data" and "ID" tags > while "Response" tab shows you the same text that appeared on the site.
When it works, the flag will show in the "Response" tab in Firefox dev tools:
I had to restart the instance dozens of times to document. Sometimes, that changes the flag. My final flag is: picoCTF{XML_3xtern@l_3nt1t1ty_540f4f1e}
BONUS: This can also be accomplished with a cURL command. Right-click POST item > "Copy Value" > "Copy as cURL"
Below are the results:
"XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access." []
POST means something was sent by the site to the server when you clicked the "Details" button. We'll now piggyback on this way of talking to the server. Right-click the POST request > choose "Edit and Resend" > add a to the new request. Note: DOCTYPE doesn't matter, but ENTITY and the "ID" name must match for this to work!
