Manual for the apocalypse
Description
ACME Inc? Anti-apocalypse machines?
That sounds interesting, maybe you could get the manual for the machine that could help you understand how it works and build your own. The wastes could be saved. Time to get the manual.
As you proceed to fetch the manual for the machine you wandered into the headquarters of ACME Inc. There you find a machine that handles the manuals for their products. Unfortunately, it asks for a license number, but you don’t have that. But you need to get that manual. DO YOUR THING!
https://manual-for-the-apocalypse.secchallenge.crysys.hu
- Author: Pepe
- Difficulty: easy
Solution
Reading the description it was pretty clear what to do, we hand in the right file, and it gives us the flag. Easy. There was a section on the upload page, which prompted for an XML file with a entity named licenseNumber in it.
I was puzzled here for a bit, since I haven’t done any exlpoitation with XML.. yet. So I started googling, and crafting random XML files with licenseNumber all over them. It was a bit of a struggle, until I bumped into this site.
Tried the first good looking XML file (with licenseNumber ofc), and I was happily presented with the /etc/passwd file in the output.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY licenseNumber SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&licenseNumber;</productId></stockCheck>
Cogwheels in my brain started turning steadily. After more time then I am willing to tell you, I finally realized… Oh, there’s this PHP file I was bombarding with XML uploads the whole time. Maybe it has something useful? Indeed it had.
With the exploit we already used, I managed to dump the whole upload.php file, and in there it had the line we were looking for:
$flag = file_get_contents("very_secret_hidden_folder_N0P3/flag");
Visiting this URL from the browser gave us the flag:
cd21{HIDDEN}