Tags: web blind-xxe xxe 


# Special Order pt2 - 490 pts


### Description:
we got hacked last time, our platform is stronger and better now.

I think I patched all the vulnerabilities

author: pop_eax

Visiting the web page we see a login portal...


But we dont have any credentials so lets register a new account and login

![BLOG PAGE](images/2.png)

After logon we see a nice looking blog page where there are 2 pre-written blogs by admin

so lets create our own blog and see what we can do

[There is no XSS]

but there was a option called `Post Settings` there we can change the font-color and font-size of the blog


by changing them we can see the effect in our blog


Then we tried a lot of [CSS injections](!https://portswigger.net/kb/issues/00501300_css-injection-reflected) to get the flag but none of them worked...

After a while we got an idea, since the title of the challenge says `Special Order pt2` i did a simple google search on `Special Order ctf writeups` and got pop_eax's [writeup and source](!https://github.com/pop-eax/SpecialOrder) of `special order pt1` from there we can get some (ALOT) of hints (90% SOLUTION)

If we analyze the request being sent while customizing `color` and `size` ,
we see the webapp accepts XML requests

![XML REQ](images/7.png)

The description says the the vulnerability([XEE](!https://portswigger.net/web-security/xxe)) is patched, though the app accepts XML requests so we thought this might be a [Blind XXE](!https://portswigger.net/web-security/xxe/blind)

Then we setup a DTD in cloud

this is our dtd file hosted in cloud:




then we sent an external XXE request to our cloud

![XML REQUEST](images/10.png)

BOOM we got the `/etc/passwd` of the server, since we already know the location of the flag (`/flag.txt`) lets change the file in our cloud to get the flag...



Original writeup (https://github.com/terawhiz/CTF-Writeups/blob/main/0x41414141-CTF/web/special-oreder-pt2/README.md#special-order-pt2---490-pts).