XML Object Exfiltration - HackTheBox Cyber Apocalypse CTF "E. Tree"

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on everybody welcome back we're doing some more hack the box cyber apocalypse capture the flag let's dive into it we don't want to waste any time here so i will hop over to my computer screen i've got the interface set up in my little uh cyber apocalypse and jh party thanks again hack the box for letting me do this so we're moving on to the e tree challenge in the web category um let's check out the information here it says after many years where humans work on the alien commands they've been gradually given access to some management applications can you hack this alien employee directory web app and contribute to the greater human rebellion let's do it looks like it has a downloadable part and a docker instance so i will go ahead and start up this instance they'll give me an ip address and a port that i'll go ahead and copy and open up in a new tab there we go all right here is the employee directory get information on the military staff that maintain this district john doe looks like a placeholder value um let's go ahead and download that data before we get cruise in here and we'll see what this thing is made up of i'll make a directory for e3 head over there and um let's move the downloads web e tree did they put it yeah okay cool let's uh go ahead and unzip that so we know what we're up against oh we have a military.xml file and there we go looks like this is data that it might end up using with district id all confidential confidential confidential confidential with the name of the individual the age rank and the kills fantastic that's not extremely helpful there is another district id confidential okay just another one there but oh that has a self-destruct code with part of a flag and it's the fake flag again just a placeholder but looks like that is just a portion okay there's another fragment down here the second half for a different self-destruct code for testing gotcha what does this do if i hop back over here searching for john doe tells me this military staff member doesn't exist can i search for that confidential string military staff member doesn't exist what what the heck does exist can i use like a wild card sort of thing like a percent sign or asterisk no none of these there are no entries that i would be able to return so is there like a chtb no let me try to kind of see what's going on hit f12 again to open up my network tab in the developer tools so when i send a request i guess like anything this runs search looks like an api call that we post to and search is just passed in as json is that that is that's what we supply okay the response is going to return out json is this something that i can take advantage of can i abuse this like is there going to be some sort of injection here how is this managed like a database i'll try to send like a single quote hello computer f12 again if i send that oh that dies lxml e3 xpath eval error oh and this looks like a debug response yeah looks like a flask yeah python flask python 2 guys what should what are you doing i'm just kidding i mean i know for a capture flag sometimes it's necessary so if this is doing some xml tree logic with an x path can i like leak somewhere with that i think it's a server error can i do like or one equals one sort of thing no that fails do i close that what if i add another or in there where a equals something with another single quote oh oh that returned something that said it did exist because of my or one equals one well like an a equals whatever so that that or a equals anything that gets filled in should fail but my order one equals one will succeed so if i change that to an or one equals two does that fail that does fail okay so again some logic boolean blind thing that we're going to end up doing if we can't get any data all we get is the error message true or false it exists or it doesn't exist then i guess we have some blind xpath injection um can i do like a payloads all the things do they have anything for xpath check out their github x path injection yeah yeah blind exploitation that sounds good um you can use a string starts what is it what is this we just did this sort of thing or one equals one and the string kind of adds it in are these like random comment structures i want to be able to like get a specific field though like i want the self-destruct code do i reference one of those extract a character substring of maybe i could use the starts with to see if it has that flag format but i want to i want to reference one specific thing uh oh i closed the instance crap where is it let's get to that so i should script this actually we should probably start to uh fumble around let's create an attempt.pie let's get our shabang line in there get requests going because we know we're doing some web stuff um the url is this good and that post request that we send off actually gets to search on api search yeah so r or request r equals let's store it as a variable let's post to that url with the api search and then the data that we need to supply should be that parameter search will it take that just fine like search equals let's try that order one equals one setup let's do an or one equals one and then we'll let the single quote following it actually finish it if i print out r dot text what do we get uh that failed what i got an error message what this is like a work zone how do we get to the console i didn't want to get to the console what's happening none type has no attribute get oh does it need it as like a json object can i pass in json like that with requests i can okay so i just switched the data keyword argument to a json so that can pass it in now i get that does exist because we are using a valid test there now i can get it to not exist this member does not exist if i turn that to a false test so there's our logic but i want to be able to retrieve like a specific field can i do like empty string or uh how do we use it can we use starts with starts with needs a string forward slash forward slash is how i can access it self-destruct code is kind of what we're looking for so what follows that as an argument should be a c capital c right for chtb the flag format so it will terminate a single quote and it might terminate a parenthesis maybe will we get a true response of this no we get an error fantastic um how can i get a specific field xpath xpath injection cheat sheet what do you got for me oh hack tricks has some good stuff what do you got tricks is always handy select all the nodes with the name node name selects from the root node selects nodes in the document from the current node that match the selection no matter where they are that sounds good i think the slash slash is kind of what we need but to self-destruct code just doesn't exist i'm confused what is that how does that do all names [Music] um string extraction it doesn't return out for me which is a pain do i use just a single forward slash to get a true statement no that still doesn't exist can i do an or invalid predicate invalid predicate now i don't know if i'm actually getting that injection in or not because i'm not positive how it queries it what if i did an and no still on valid predicate how is it requesting this i'm not too strong in xpath so i'm kind of just fumbling around i'll admit find path username user text equals those are defenses no i want to know how to beat it up live learning everybody oh here they do a thing they use an id no i want to subscribe to your newsletter starts with do they just use starts with like right out that errored for me previously so what were those square braces is there a starts with start with no [Music] i want to use that starts with because that i think will let me like determine how and what characters might follow they don't showcase it oh here's a pillow now this is just the exact same payloads all the things starts with one entry what if we used an or and a starts with self destruction code that's it self destruct code and starts with a c that could see a valid predicate oh i have uh can i do an or following that after just oh oh that works so i just cleaned the end kind of on my own i just added i closed that predicate or the little function call i guess which starts with and then added another or so the or empty string in the original or empty string will fail but this starts with c will return a true statement now if i change it to a different letter it does fail okay cool so we could start i guess to find characters now let's import string uh let's do printable let's just do string printable to start kind of with broad strokes let's start with a while true let's find leaked data make that an empty list let's bring that above the while loop there and then let's for character in string.printable as usual so we can kind of get the structure for a blind leak we know that our character that we're in a test should end up sending this along so let's use an f string where we test right in here the joined data for leak data adding in the character that we add yeah so then let's try and print like trying let's let's add in our join leak data again join leak data with the character and let's actually print out that r dot json again just so we can see how this looks so staff member doesn't exist doesn't exist doesn't exist if we get to a capital c will it behave yes the staff member does exist perfect so this is our success field so we can say if r.json is equal to that then we will add that character to our leak data leak character leak data dot append character break so we continue to loop and yeah now let's try and add in that start of that flag format and see how we do will we get a next character maybe hopefully starting capital letters oh a t okay an h it's going it's going we have liftoff i don't know how long this will go and because oh gosh what happened oh the single quote's getting in the way the single quote will kill it let's nerf some of these as we do string dot printable dot replace the single quote with nothing and then let's loop through our copy of printable rather than that uh we know that the is kind of what we're going to end up starting with in some lead speak here if it is the then we're probably gonna end up having an underscore kind of at the end there to denote a new or another word so let's see if that hits or if we run into another bad character i'm surprised the ampersand didn't nerf us but that seems okay yeah underscore hit it okay and then we get a three we're cruising i'm gonna pause the video i'm gonna pause the recording and let's see if we get any ending here or another error okay um so i got up to the extra level um with the start of a new lead speaker with the underscore i i think that can be i guess flag part one right now how can we get that second part uh this is kind of a pain because if we do leak data with this specific payload we don't know if that second half will start with a capital c because the capital c is how we kind of knew that we were on the right one before let's try to ignore that one so we'll test if the length of leaked data is equal to zero and character is equal to capital c then we can continue because i want to run this exact same code again just with this condition in here to determine uh hey let's totally ignore that first entry of the self-destruct code or that fragment of the flag and let's see if we can leak something else following it so let me try that it's whining about my tabs and spaces so i'll convert everything to spaces there now let's try and run that one more time uh and let's see if it will start to latch onto that second self-destruct code hopefully i don't know and i'm sad i i don't think it will dang it how do we we got the first part but how do we get the second part can um so let's take this i guess let's switch up the syntax i think we can use that like starts with syntax for like as an attribute of something let me let me google xpath starts with examples now if you run it oh yeah yeah if you run it on itself you can use a period to denote like this object so maybe that will work then we aren't specifying the leak data flag that we know thus far um will that one work any better for us nope how does that fail what the heck fails there do i have an error i'm sure i have an error let me nerf that bottom piece of code and let's print out uh r.text to see if this errors uh let's actually exit just on that so we stop all the loops and everything yeah that that errors or self-destruct code starts with character oh we need to end the condition or that little attribute with the square brace how about that okay that gets a valid response so now let's toggle this back in to do the logic and check it and not exit let's see if we get something oh get the number four okay part of me wonders if if that syntax that we just did when we did use the square braces like as an attribute and that's probably totally not the right word um i wonder if that would work just as well for getting the first part like if we just gave it that flag prefix is again something to start with yeah i don't know we could we could finagle it a little bit more if we wanted to but it goes to show that i need some more practice with doing xpath stuff um did we get to the end here are we gonna hit a curly brace on this no we got an underscore so got something else i will uh pause the recording and i'll get back to you once this is done leaking everything out all right i see we hit a curly brace so i'm gonna i'm gonna say that's the end of the flag and this looks like access control in lead speak so flag part two is going to be this which means that our flag is chtb the extra level access control nice putting that all together oh geez i think we did it we got the flag let's uh let's try and submit this let's call it good maybe it looks like a flag to me go and smith flag yeah all right another one down uh this was another kind of a showcasing of a blind injection technique not with sequel this time but with some xpath and i for one definitely need to get smarter on xpath syntax i'm sorry for that fumble there but i i think we got it and i'm curious how we could use the second payload that we kind of finagled um if if we were to use that which starts with again but specifying that leak data for the beginning of our flag prefix maybe that would work just a tad better um but it worked like the renditions that we went through the iterations kind of this process that we were going through this this loop does let us do some blind injection with xpath and that helped us leak out the flag leak out some other or whatever really really we wanted out of the xml document here so uh even if this was all confidential sure we can still pull out any code that we'd like at this point nice we did it that's that that is another challenge down and we are going through this ladies and gentlemen so i think that's it thanks so much for watching everybody thanks so much for hanging out i hope this was fun i don't think i've done any videos on like xpath and xpath injection so i should totally get smart on it and maybe showcase some good stuff but thanks so much for tuning in everybody i hope you enjoyed this video if you did please do all those youtube algorithm things i would love if you would like the video subscribe comment uh hit the bell etc that just super duper helps out the channel and let me know if you're liking this uh these style of videos if you're liking some of these hack the box cyber apocalypse showcases but thanks so much everybody i love you i'll see in the next video take care [Music] [Music] [Music]
Info
Channel: John Hammond
Views: 40,311
Rating: undefined out of 5
Keywords:
Id: ySJwlMsFbco
Channel Id: undefined
Length: 28min 12sec (1692 seconds)
Published: Wed May 12 2021
Related Videos
Blind MongoDB NoSQL Injection - HackTheBox Cyber Apocalypse CTF
John Hammond
46K
Cloudflare CDN CSP - XSS Bypass / HackTheBox Cyber Apocalypse CTF
John Hammond
42K
TryHackMe! Bypassing Upload Filters & DirtySock
John Hammond
67K
SQLite Blind SQL Injection - HackTheBox Cyber Apocalypse CTF
John Hammond
70K
OWASP Top 10: XML External Entities
Loi Liang Yang
24K
TryHackMe! Overpass - Authentication Bypass
John Hammond
136K
The Only .NET Scheduler You Should Be Using!
Nick Chapsas
17K
Nvidia CEO Jensen Huang and the $2 trillion company powering today's AI | 60 Minutes
60 Minutes
503K
TryHackMe! Tartarus - Website Password Bruteforcing
John Hammond
94K
I Built a PC that Makes Coffee
Nerdforge
939K
Free Hacking API courses (And how to use AI to help you hack)
David Bombal
89K
Big Tech AI Is A Lie
Tina Huang
42K
I Played Beginner-Level Security CTFs For 30 Days - Here's What I Learned
Grant Collins
663K
Exploiting Tomcat with LFI & Container Privesc - "Tabby" HackTheBox
John Hammond
62K
Building web applications in Java with Spring Boot 3 – Tutorial
freeCodeCamp.org
127K
HackTheBox - "Remote" - Umbraco & Windows
John Hammond
81K
Nodejs Nunjucks Template Injection - HackTheBox Cyber Apocalypse CTF
John Hammond
20K
Laravel CVE / PHP Deserialization - "Larablog" HTB Business CTF
John Hammond
42K
GoogleCTF - Cross-Site Scripting "Pasteurize"
John Hammond
95K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.