[GoogleCTF 2019] — Web: BNV — Writeup
Writeup for GoogleCTF 2019 by Nicholas.
Google runs a CTF competition in two rounds: an online qualification round and an onsite final round. The top 10 teams from the qualification round will be invited to the finals to compete onsite for a prize pool of more than USD $31,337. They have two type of CTF, the real one and the beginner quest.
I actually want to spend my weekend doing this CTF, but I couldn’t because I’m hanging out with my high school friends. (Read: I got stressed because it is so freaking hard and I don’t have the skills). So, I could only solve some beginner quests (BQ) and one web challenge on the real competition. On this article, I’m going to explain my writeup for the BNV web challenge on the real competition.
Web: BNV— 155 point
Given a web https://bnv.web.ctfcompetition.com/. When I try to open it, it is a web for blind people to find the nearest blind association based on their city. It also show a logo with Braille text with translation like a welcoming sentences. There is also a submit button that could be used to search the nearest association.
First, I try to check the request and response for the search API using BurpSuite. Here is the screenshot:
The search API will post a JSON with key “message” and a value of numbers(?). I start my research on what is this number. After I read the article about Braille code on PharmaBraille, I realize that the number is the representation of our chosen city on a Braille Dots.
So 135601360123502401401250 is “Zurich” in Braille Dots. I start to think that maybe it is vulnerable to injection and try different payloads with back-tick (`), quote (‘), etc, to check if it is vulnerable, but didn’t get any result because it seems that the message has been escaped.
Spending about 5 hours try to figure out how to tackle this challenge, I hit a wall, and choose to go out with my friends 😂. When I go out with them, I found an article about bug bounty on LinkedIn and suddenly remembered that I’ve ever read an article about bug bounty that could force XXE on a JSON web-service. I turn on Kali and try to change the content-type to application/xml and IT WORKS!.
Now I know that the web-service could parse an XML, I try some common payload for XXE but none of them works. But thanks to this nice article from PortSwigger, I learn a new method for blind XXE to print the content of our target file through the error message. The idea is we import a local dtd file and then redefine one of its entity forcing it to trigger an error message. We will craft the error message to contain the content of our targeted file.
Let’s try that method. First, we need to find the local dtd file on our target host by checking every possible directories and files. Luckily, the example local dtd file on the PortSwigger Lab Article is exist!! The docbookx.dtd file has an ISOamso entity and we are going to redefine it. The idea on how to redefine it is we need to define ISOamso entity first before importing the local dtd file, so when we import the local dtd file, there will be two entity with the same name, and the first one (the one that we defined) will be used instead of the second one (the one from the local dtd file). I try this method and It works like a charm 😭.
And the final step, we need to find where is the flag file. Usually, the flag is in the root directory, so I try load file://flag and got the flag.
Flag : CTF{0x1033_75008_1004x0}Turn out I could only solve this web challenge for the GoogleCTF 2019. I couldn’t solve the others challenge. Well, I proud of myself because I didn’t solve any challenges on the previous year 😂. I’m going to post my writeup for the beginner quest if I have time.
