The hints for this challenge suggests that an Open Redirection exploit is present in the input fields of the website shown below (figure 2).

Mitre’s database lists Open Redirect as CWE-601 and confirms a lack of input validation as a cause, where a malicious input could lead to the browser navigating to an URL of the adversary’s choosing, leading to more severe follow ups such as phishing and download of malware.

As the inputs of username and password then submitting them generates a HTTP POST request to send data to the server and update its information, a relevant tool here to use would be Burp Suite. Portswigger’s official documentation^[1] contains description on how to analyze for redirections. The idea being to use Burp’s Proxy interceptor to capture the HTTP POST request then send it to the Repeater.

Procedure

The website URL link is opened with the Burp Suite browser. The intercept is then turned on. Per instruction, the username of “test” and password of “test!” were entered into the webpage.

When submitted, the browser navigates to the following site.

The login submission’s HTTP POST request was captured by Burp’s Proxy Interceptor during this. The first interesting finding is that there was a HTTP 302 found status code (figure 4), suggesting that a redirection has taken place.

The second interesting finding is that the beginning part of the flag has already been revealed in the response to the POST request. The last line of the HTTP 302 response contains an anchor element indicating the URL of the website it is redirecting the browser to. In the URL, the id contains the base64 encoded string “cGljb0NURntwcm94aWVzX2Fs” (figure 4) which Burp helpfully decoded as “picoCTF{proxies_al”

This request was then sent to the Repeater field, which had the “Follow redirections” option changed from ‘Never’ to the “On-site” option (figure 5) as in this particular instance both sites are from the domain of picoCTF.net.

After this, clicking ‘Send’ button resubmitted the POST request, the response now contained new data (figure 6). Namely a snippet of HTML showing the Javascript function, setTimeout() ^[2], which calls the window.location object after a defined time gap, 2 seconds in this case. In Javascript, the window.location redirect to a new specified URL ^[3].

That the redirect URL in the updated HTTP response (figure 6) contains the the base64 encoded id string of “bF90aGVfd2F5X2EwZmUwNzRmfQ==” which Burp Suite decoded as “l_the_way_a0fe074f}”

The full flag is therefore the 2 parts combined which turns out to be:

picoCTF{proxies_all_the_way_a0fe074f}

References

[1] “Repeater settings,” portswigger.net. https://portswigger.net/burp/documentation/desktop/settings/tools/repeater#redirects (accessed Mar. 31, 2023).

[2] “Window setTimeout() Method,” W3schools.com, 2019. https://www.w3schools.com/jsref/met_win_settimeout.asp

[3] “JavaScript Window Location,” W3schools.com, 2019. https://www.w3schools.com/Js/js_window_location.asp

‌

XXE attack research

A hint suggests that the /etc/passwd of the insecure website’s back-end can be accessed through a XML external entity injection, or XXE attack. (Figure 1)

As of 2021, XXE remains one of the OWASP’s top 10 critical web application risks, changing to the category of 2021:A05-security misconfiguration risk from the A04 category in 2017. ^[1]

Based on readings from w3school, eXtensible Markup Language or XML is a markup language much like HTML, except its purpose is to carry data from the browser to the server instead of displaying them. In XML, a storage unit of data is called an entity, much like a variable in a programming language. ^[2]

According to OWASP, the XXE attack vector is a malicious XML document sent to the victim web app’s server by the attacker. Inside the XML document there is one or more external entity references with URI specifying the resource being targeted e.g. /etc/passwd and the attacker’s address. If the web app uses a poorly configured XML parser, it will process the external entity’s URI, retrieve the specified resource then send it to the attacker. ^[3]

Attack surface deduction

The web portal of the challenge presents no user input options other than a few ‘Details’ button that when clicked will presumably send HTTP POST requests to the server in order to display the ‘Special Info::::’ messages as responses. (Figure 2)

A relevant tool for this context is Burp Suite, a set of tools developed by Portswigger for penetration testing of web applications. ^[4]

The approach would be to click the ‘Details’ button, intercept the HTTP POST request with burpsuite, and check for any XML information being sent. If there are XML fields, external entities can be written before re-sending the POST request. Alternatively, the mention of SOAP protocol in the challenge’s name might indicate that clients can’t directly submit XML information, unless XIndicate mechanism is used.

Attack procedure

The URL of the website was entered into Burp Suite’s chromium browser. The ‘Intercept’ option in the ‘Proxy’ tab was turned on.

Clicking the ‘Details’ button on the web portal creates the following HTTP POST request which was intercepted by Burp Suite.

There is evidently a section of XML in the HTTP POST request, starting from line 13 (Figure 4), therefore the next step is to inject an external entity with the URI specifying the path to /etc/passwd.

To do this, one line containing the external entity needs to be added, then said entity must be called in the ID tag. Let’s give it the unique name of cleoptrata.

The following line is added below line 13. (Figure 5)

<!DOCTYPE injection [ <!ENTITY cleoptrata SYSTEM "file:///etc/passwd"> ]>

Where ‘injection’ is the name of root element, it can be anything e.g. foo, example etc. The name of the entity is cleoptrata and the SYSTEM specifies the entity as an external entity. These are followed by the path to the passwd file.

Note that in the ID tags, cleoptrata is called with:

&cleoptrata; 

To re-send this HTTP POST request back to the server, use ‘Send to Repeater’ then ‘send’ in Burp Suite. This then resulted in the server leaking the contents of the passwd file, revealing the flag. (Figure 6)

Context

In an educational environment such as the Computer Science website here, this attack is devastating in that attackers can find the username of past logins. The attacker could then try to obtain the shadow file for the passwords.

The results of this challenge also reveals information like Gnats Bug-Reporting System being a component of the web application’s network, which is valuable to an attacker’s Reconnaissance for subsequent attacks.

References

[1] OWASP, “OWASP Top Ten,” Owasp.org, 2021. https://owasp.org/www-project-top-ten/

[2] w3schools, “XML Introduction,” W3schools.com, 2015. https://www.w3schools.com/xml/xml_whatis.asp

[3] “XML External Entity (XXE) Processing | OWASP,” owasp.org. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

[4] portswigger, “What is XXE (XML external entity) injection? Tutorial & Examples | Web Security Academy,” portswigger.net. https://portswigger.net/web-security/xxe