Securinets CTF Quals 2019 write-up

Welcome to my write-up for Securinets CTF Quals 2019!

Menu

Feedback

Description:
I created this website to get your feedback on our CTF.
Can you check if it's secure ?
Ps: flag stored in "flag" file
Link: https://web2.ctfsecurinets.com/
The website sends feedbacks via AJAX request: 
  1. <script type="text/javascript">
  2. function func(){
  3.     var xml = '' +
  4.         '<?xml version="1.0" encoding="UTF-8"?>' +
  5.         '<feedback>' +
  6.         '<author>' + $('input[name="name"]').val() + '</author>' +
  7.         '<email>' + $('input[name="email"]').val() + '</email>' +
  8.         '<content>' + $('input[name="feedback"]').val() + '</content>' +
  9.         '</feedback>';
  10.     var xmlhttp = new XMLHttpRequest();
  11.     xmlhttp.onreadystatechange = function () {
  12.         if(xmlhttp.readyState == 4){
  13.             console.log(xmlhttp.readyState);
  14.             console.log(xmlhttp.responseText);
  15.             document.getElementById('Message').innerHTML = xmlhttp.responseText;
  16.         }
  17.     }
  18.     xmlhttp.open("POST","feed.php",true);
  19.     xmlhttp.send(xml);
  20. };
  21. </script>
As it uses XML format, I thought XXE must be the first choice. So, I managed to read the file /etc/passwd:
After that, I used php://filter to get the source code of the PHP files but nothing special. I read the description again and found out that the author added a line which said the flag is in "flag" file. So, I just read the file flag in the current directory:
Base64 decode that and get the flag: Securinets{Xxe_xXE_@Ll_Th3_W@Y}

Thank you for reading!

Comments

Post a Comment