[GoogleCTF 2019] — Web: BNV — Writeup

Writeup for GoogleCTF 2019 by Nicholas.

Image for post
Image for post
Google Capture The Flag 2019 (Quals)

Google runs a CTF competition in two rounds: an online qualification round and an onsite final round. The top 10 teams from the qualification round will be invited to the finals to compete onsite for a prize pool of more than USD $31,337. They have two type of CTF, the real one and the beginner quest.

I actually want to spend my weekend doing this CTF, but I couldn’t because I’m hanging out with my high school friends. (Read: I got stressed because it is so freaking hard and I don’t have the skills). So, I could only solve some beginner quests (BQ) and one web challenge on the real competition. On this article, I’m going to explain my writeup for the BNV web challenge on the real competition.

Web: BNV— 155 point

Given a web https://bnv.web.ctfcompetition.com/. When I try to open it, it is a web for blind people to find the nearest blind association based on their city. It also show a logo with Braille text with translation like a welcoming sentences. There is also a submit button that could be used to search the nearest association.

Image for post
Image for post
Web Interface

First, I try to check the request and response for the search API using BurpSuite. Here is the screenshot:

Image for post
Image for post
BurpSuite result on the interception

The search API will post a JSON with key “message” and a value of numbers(?). I start my research on what is this number. After I read the article about Braille code on PharmaBraille, I realize that the number is the representation of our chosen city on a Braille Dots.

So 135601360123502401401250 is “Zurich” in Braille Dots. I start to think that maybe it is vulnerable to injection and try different payloads with back-tick (`), quote (‘), etc, to check if it is vulnerable, but didn’t get any result because it seems that the message has been escaped.

Spending about 5 hours try to figure out how to tackle this challenge, I hit a wall, and choose to go out with my friends 😂. When I go out with them, I found an article about bug bounty on LinkedIn and suddenly remembered that I’ve ever read an article about bug bounty that could force XXE on a JSON web-service. I turn on Kali and try to change the content-type to application/xml and IT WORKS!.

Proof that the XML could be parsed

Now I know that the web-service could parse an XML, I try some common payload for XXE but none of them works. But thanks to this nice article from PortSwigger, I learn a new method for blind XXE to print the content of our target file through the error message. The idea is we import a local dtd file and then redefine one of its entity forcing it to trigger an error message. We will craft the error message to contain the content of our targeted file.

Let’s try that method. First, we need to find the local dtd file on our target host by checking every possible directories and files. Luckily, the example local dtd file on the PortSwigger Lab Article is exist!! The docbookx.dtd file has an ISOamso entity and we are going to redefine it. The idea on how to redefine it is we need to define ISOamso entity first before importing the local dtd file, so when we import the local dtd file, there will be two entity with the same name, and the first one (the one that we defined) will be used instead of the second one (the one from the local dtd file). I try this method and It works like a charm 😭.

Image for post
Image for post
Try to load the /etc/passwd file on an error message and It works!

And the final step, we need to find where is the flag file. Usually, the flag is in the root directory, so I try load file://flag and got the flag.

Image for post
Image for post
Flag : CTF{0x1033_75008_1004x0}

Turn out I could only solve this web challenge for the GoogleCTF 2019. I couldn’t solve the others challenge. Well, I proud of myself because I didn’t solve any challenges on the previous year 😂. I’m going to post my writeup for the beginner quest if I have time.


HMIF ITB Tech Blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store