Securinets CTF Quals 2019 write-up

Welcome to my write-up for Securinets CTF Quals 2019!

Menu

Feedback

Description:
I created this website to get your feedback on our CTF.
Can you check if it's secure ?
Ps: flag stored in "flag" file
Link: https://web2.ctfsecurinets.com/
The website sends feedbacks via AJAX request:
<script type="text/javascript">
function func(){
    var xml = '' +
        '<?xml version="1.0" encoding="UTF-8"?>' +
        '<feedback>' +
        '<author>' + $('input[name="name"]').val() + '</author>' +
        '<email>' + $('input[name="email"]').val() + '</email>' +
        '<content>' + $('input[name="feedback"]').val() + '</content>' +
        '</feedback>';
    var xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function () {
        if(xmlhttp.readyState == 4){
            console.log(xmlhttp.readyState);
            console.log(xmlhttp.responseText);
            document.getElementById('Message').innerHTML = xmlhttp.responseText;
        }
    }
    xmlhttp.open("POST","feed.php",true);
    xmlhttp.send(xml);
};
</script>
As it uses XML format, I thought XXE must be the first choice. So, I managed to read the file /etc/passwd:
After that, I used php://filter to get the source code of the PHP files but nothing special. I read the description again and found out that the author added a line which said the flag is in "flag" file. So, I just read the file flag in the current directory:
Base64 decode that and get the flag: Securinets{Xxe_xXE_@Ll_Th3_W@Y}

Thank you for reading!

Comments