Skip to content
0x4B1T

Such and eXpert ML model

This was a web-based challenge featured in the KPMG Recruitment CTF 2023.

Date : 22 Dec 2023 Friday

Table of Content

Section titled “Table of Content”
  1. Background
  2. Recon
  3. Exploitation
  4. Conclusion

Background

Section titled “Background”

Description of the challenge is too straight forward but useless it says

WhatsApp Image 2023-12-22 at 1 14 54 PM

Recon

Section titled “Recon”

Initial Recon is must in CTF challenges jumping directly on the Application will give a strong headache as a gift.

Nmap

nmap -Pn kicyber-{}-challenge-1.chals.io --vv -sV

Servers are really slow :/

Screenshot from 2023-12-22 17-53-14

Tried accessing port 23 that is telnet but no sucess.

After Opening the URL in the browser I just got pranked!

Screenshot 2023-12-22 at 17-38-35 Prank

But “Where’s the Camera?”

Directory Busting - Gobuster

Screenshot from 2023-12-22 18-00-14

So there are mainly three endpoints with 200 Status code

/img - endpoint

Screenshot from 2023-12-22 18-03-29

This indicates there is somewhere an endpoint through which we can register an account.

robots.txt - endpoint

Screenshot from 2023-12-22 18-05-29

but wait! when scrolling downside of the robots.txt

Screenshot from 2023-12-22 18-08-09

we got the endpoint

Exploitation - XXE Attack

Section titled “Exploitation - XXE Attack”

When accessing the “/complexpage.html” endpoint we get a simple registration form

Screenshot from 2023-12-22 18-14-15

Let’s enter details and Intercept request and response in Burpsuite

Request :

Screenshot from 2023-12-22 18-10-58

Response :

Screenshot from 2023-12-22 18-16-48

As it is XML version 1 and the value of “Email” is returned in the response let’s try XXE Attack

Those who don’t know about the XXE Attack :

  • XXE is a vulnerability present in the processing of the XML data.
  • In XML there are tags just like html but here the tags are user defined that represent some data that is also specified by the user.
  • XXE stands for XML External Entity injection in which attacker uses external entity to retrieve data from the sever.
  • External Entities are the tags who’s values are stored in another location also in the files present on the server.

Now we just need to create a tag which will retrieve its values from a file present on the server and when we use that tag in our code content of that file will be returned.

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

using the xxe tag

&xxe;

Screenshot from 2023-12-22 18-28-07

so reading the flag present at “/etc/flag ”

Screenshot from 2023-12-22 18-29-16

Conclusion

Section titled “Conclusion”

In this Writeup we have learned how we can exploit an XXE Vulnerabilty and retrive sensitive files from ther server filesystem.