PicoCTF 2023: SOAP

The SOAP XXE Injection challenge required exploiting an XML External Entity (XXE) vulnerability to retrieve sensitive information. The goal was to manipulate the XML input to gain unauthorized access to system files and ultimately find the hidden flag.

Step-by-Step Walkthrough

1. Intercepting the Request

The challenge webpage appeared normal, but intercepting the traffic with Burp Suite revealed an XML-based request being sent to the server.

2. Understanding XXE Injection

XXE Injection is a type of attack against applications that parse XML input. By crafting a malicious XML payload, attackers can read local files, execute arbitrary code, or cause denial-of-service attacks.

To exploit this, I referred to the PortSwigger website and found a suitable XXE payload:

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:/etc/passwd"> ]>

3. Crafting the Malicious Payload

By injecting the XXE payload into the original XML request, I aimed to retrieve the contents of the ( /etc/passwd ) file, which typically contains user account information on Unix-like systems.

The modified request:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:/etc/passwd"> ]>

<data>

<ID>&xxe;1</ID>

</data>

• <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:/etc/passwd"> ]>
  

defines an external entity named xxe that points to the /etc/passwd file.

• <ID>&xxe;1</ID>

replaces the ID value with the contents of /etc/passwd followed by 1.

4. Sending the Malicious Request

The modified request was forwarded through Burp Suite, and the server's response was captured.