Description

The web project was rushed and no security assessment was done. Can you read the /etc/passwd file?

Solution

This challenge is about XML external entity Injection.

I referred to the document on OWASP.

The website looks like below.

I noticed the special info changes when I clicked the Details button.

I captured the request using Burpsuite.

I found the XML tag in the request.

I wrote an injection code with the help of the OWASP example.

I’m not familiar with XML programming.

However, I guess &xxe takes the value of file:///etc/passwd.

When the request is ended with the injection code, the flag is displayed in the response.