[DevCTF 2022] CipherText
As we open the link for this challenge, we are greeted by a form containing a text area and a submit button.
So to explore we put some random text into the text area and submit the form.
We observe the that the web page returns back some text.
So, it seems that whatever we enter will be passed to the ROT13 hash and the output will be displayed in the page itself.
Now we inspect the page to see if this hashing is being done in the browser or in the server.
This makes it clear that the form data is being sent as a POST request to the server, where the hashing is actually taking place. So, it seems natural to try out some SSTI payloads.
We see from the response headers that the server is running PHP. So we try the payload ${{1+2}}.
And….. no results.
Even after a few more iterations, SSTI seems to take us nowhere. So we start looking for other potential vulnerabilities.
After some searching, we notice a peculiarity in the response header.
There is an “Accept” field deliberately added to the headers that seems to suggest that the server accepts both xml and formdata. This might make it susceptible to XXE vulnerabilities.
So, we craft a simple XXE payload. We dont find a DTD, so we go along with a guessed xml hierarchy.
We intercept the request using Burp Suite and modify the “Content-Type” to “application/xml” and inject the above xml in the data part of the curl request.
We get back the flag rotated by 13 chars.
On feeding this to the form again we get
So we get our flag to be CTF{olwys_uz_latest_s0ftware}
