🏳️
Bag of Flags
  • Home
  • 2023
    • 🅿️picoCTF 2023
      • money-ware
      • repetitions
      • two-sum
      • ReadMyCert
      • rotation
      • hideme
      • PcapPoisoning
      • who is it
      • Reverse
      • timer
      • Safe Opener 2
      • findme
      • MatchTheRegex
      • SOAP
    • 🐦magpieCTF 2023
      • Space Plan
      • Space Exploration
      • So Meta
      • There is no flag
      • Momma says to play fair
      • Rubis
      • What is the password?
      • Eavesdropper
      • Shredded
      • Missing Flag
      • This outta be large enough right?
      • No Password Here
      • Chocolate Chips with Zero-G
      • Education Comes First
    • 🌴ISSessions CTF 2023
      • Basic Permissions
      • Crack Me
      • File Detective
      • Word Vomit
      • Fileception
      • Coding Time
      • Ghost File
      • CryptoTools1
      • CryptoTools2
      • 1337
      • ROT++
      • RunedMyDay
      • RSA_2
      • The Man Who Sold the World
      • VaultChallenge
      • Lost Media
      • Decontamination
      • Decade Capsule
      • Password in A Haystack
  • 2022
    • 🏁UW CTF S22
      • 0s and 1s
      • simple image
      • Helikopter
      • Meow
      • Google Form
      • Strings, literally
      • WASM
      • Audio
      • Pwn0
      • YATD
      • steg
      • Passwords
      • Vitalik
  • Practice
    • 🧠CryptoHack
      • Introduction
        • Finding Flags
        • Great Snakes
      • General
        • ASCII
        • Hex
        • Base64
        • Bytes and Big Integers
        • XOR Starter
        • XOR Properties
        • Favourite byte
        • You either know, XOR you don't
        • Greatest Common Divisor
Powered by GitBook
On this page
  • Description
  • Hints
  • Soapy Bubbles
  • Flag
  1. 2023
  2. picoCTF 2023

SOAP

PreviousMatchTheRegexNextmagpieCTF 2023

Last updated 2 years ago

Description

The web project was rushed and no security assessment was done. Can you read the /etc/passwd file?

Hints

1

XML external entity Injection

Soapy Bubbles

We have a simple website with "Detail" buttons we can click

Clicking one of these buttons reveals additional information, for example

Special Info:::: University in Kigali, Rwanda offereing MSECE, MSIT and MS EAI

What's interesting is, when observing through the Network tab, clicking on the buttons creates a POST request to /data

As given by the hint, we are supposed to perform "XML external entity injection"

Googling this, we find that there is a payload which will let us view the /etc/passwd file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<data><ID>&xxe;</ID></data>

Intercept the POST request using Burp Suite or something equivalent

Replace the payload then forward the request and the website will print something interesting

Flag

picoCTF{XML_3xtern@l_3nt1t1ty_4dbeb2ed}

🅿️