Featured image of post Deadsec 2023

Deadsec 2023

xee1

category: web

solution

From the title you can tell this is a classic xxe challenge , when you capture the login request in burp repeater you will realize that the username is echoed out , so we have to make sure the output of our xxe payload is reflected in the page through the user name field.

image1

I crafted a payload to read /flag.txt , we also need to pass it through a php filter , we get the flag in base64 format

image2

image3

image4

xee2

category: web

solution

This challenge is a subsequent of xxe2 but required a more complex approach, this time we have to receive the flag remotely since our user input is not being reflaected in the site , this is known as blind xxe . You can read more about it here

so after some research i created thhis payload that reads the /flag.txt and sends it to a ngrok endpoint, ps we also have to pass read the flag through a php filter

image4

I get a hit and we can decode the flag from base64 as shown below

image5

Bing

category: web

solution

This was a little complicated , i saw it as more of a bash jail than a web challenge.

Basically you wegiven a simple site with page that would serve the flag, there was clearly command injection , cince you could run the i command. There was also a poor attempt at a regex filter at the frontend so this challnge could only be solved using burp.

file reading commands like cat were blocked also spaces , so you had to try any command you knew to read a file. Heres the solution:

‘head$IFS/fl??.txt|rev’

without the rev the page will not display there may be a flag filter , so we reverse it

image5

Licensed under CC BY-NC-SA 4.0
Built with Hugo
Theme Stack designed by Jimmy