SOAP
CHALLENGE AUTHOR: GEOFFREY NJOGU
Description The web project was rushed and no security assessment was done. Can you read the /etc/passwd file? Web Portal
Solution
Well this challenge reminded me of LFI (local File Inclusion). It was an interesting challenge, I loved it. Let’s get started, shall we?
- Connect to the challenge via the provided url.
![image]()
- It looks very much static, I try the
Detailbuttons to check what they load and I proxy my requests through burp.![image]()
- We get a path
/datathat appends an xml code snippet with the id parameter.![image]()
- I immediately start crafting xml PoCs to dump the
/etc/passwd - I come up with
1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
<!ENTITY readfile SYSTEM "file:///etc/passwd">
]>
<data>
<ID>&readfile;</ID>
</data>
- I remove the existing xml and replace it with my crafted xml.
![image]()
- Sending the request, we get a response dumping the
/etc/passwdand at the end of it we get our flag.![image]()
That is it. Stay vigilant in the digital wild west. Happy Hacking
Comments powered by Disqus.