picoCTF SolutionsChallenge library
picoCTF 2023Web ExploitationMedium

SOAP

Challenge Overview

The web project was rushed and no security assessment was done. Can you read the /etc/passwd file?

Web Portal

Getting Started

Simple Object Access Protocol (SOAP) and the tag on the challenge says XXE.

XXE is XML external entity injection. PortSwigger has a good page describing almost exactly this challenge.

This is the XXE payload that is on the PortSwigger site linked above:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

Setting Up BurpSuite

To implement the injection it is easiest with BurpSuite. BurpSuite is software that is very useful for web penetration testing.

Steps in BurpSuite:

  • Create a Temporary project as soon as BurpSuite opens by just pressing "Next" with the default configurations.

image

  • Then click "Start Burp" with Burp Defaults.

image

  • Then go to the proxy tab.

image

  • Then open the BurpSuite browser. Now anything you do in that browser you can see and manipulate incoming packets.

image

  • Once you're in the BurpSuite web browser paste the link from the challenge http://saturn.picoctf.net:52948/

Solution

Back in BurpSuite turn Intercept to on. This will stop all traffic so you can inspect the packets before they are sent. You can than change the packets however you want.

image

If you click the "Details" button under "Carnegie Mellon University Africa" (Any of the three will also work) you can see XML in the intercepted packet.

image

Now looking at the earlier XXE Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

This is the important part: <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>. All you have to do is place that under the <?xml version="1.0" encoding="UTF-8"?> and then you have done the injection.

image

Now all you have to do is add &xxe; before the 1 to show the output of the injection. Then you can forward the packet and you will see the flag on the page.

image

Flag: picoCTF{XML_3xtern@l_3nt1t1ty_4db...}