Such and eXpert ML model - Web Challenge 1 - KPMG CTF
Date : 22 Dec 2023 Friday
Table of Content
Background
Description of the challenge is too straight forward but useless it says
Recon
Initial Recon is must in CTF challenges jumping directly on the Application will give a strong headache as a gift.
Nmap
nmap -Pn kicyber-{}-challenge-1.chals.io --vv -sV
Servers are really slow :/
Tried accessing port 23 that is telnet but no sucess.
After Opening the URL in the browser I just got pranked!
But “Where’s the Camera?”
Directory Busting - Gobuster
So there are mainly three endpoints with 200 Status code
/img - endpoint
This indicates there is somewhere an endpoint through which we can register an account.
robots.txt - endpoint
but wait! when scrolling downside of the robots.txt
we got the endpoint
Exploitation - XXE Attack
When accessing the “/complexpage.html” endpoint we get a simple registration form
Let’s enter details and Intercept request and response in Burpsuite
Request :
Response :
As it is XML version 1 and the value of “Email” is returned in the response let’s try XXE Attack
Those who don’t know about the XXE Attack :
- XXE is a vulnerability present in the processing of the XML data.
- In XML there are tags just like html but here the tags are user defined that represent some data that is also specified by the user.
- XXE stands for XML External Entity injection in which attacker uses external entity to retrieve data from the sever.
- External Entities are the tags who’s values are stored in another location also in the files present on the server.
Now we just need to create a tag which will retrieve its values from a file present on the server and when we use that tag in our code content of that file will be returned.
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
using the xxe tag
&xxe;
so reading the flag present at “/etc/flag “
Conclusion
In this Writeup we have learned how we can exploit an XXE Vulnerabilty and retrive sensitive files from ther server filesystem.