CloudSEK CTF Challenge #3 WriteUp

  1. You were provided with a link to a web application at http://54.212.122.94:8080/ which consists of a Contact Us form.

2. Let’s try to fill the form and submit it and check what requests are being sent using Burp suite.

3. To configure Burp Suite with your browser you can install FoxyProxy plugin and set a profile named Burp .

https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

4. Save it and now you can easily use Burp Suite to capture the requests that are sent by your browser .

5. Now lets check the requests that were sent when you click on the Send Message button.

6. A post request is sent to contact.php page.

7. The response for this request comes as :

8. As you can see the value of message field is reflecting so we can try XXE (XML external entity) injection here.

9. You can learn about XXE injection from here.

10. Let’s send this request to Burp Repeater so that we can modify the POST request to inject our xml.

Modified Request:

11. This XXE payload defines an external entity &test; whose value is the contents of the "/etc/passwd" file and uses the entity within the message value. This causes the application’s response to include the contents of the file.

12. Now to retrieve the flag we just had to include the contents of “/home/wazirsec/flag.txt” file .

13. And this is how you will get the flag.

CLOUDSEKCTF{XxE_Is_5UN}

I hope you enjoyed reading this.

For any feedback or suggestions reach out to me @yashswarup12

A Cybersecurity Enthusiast