# Include me
## Description
> Zero Dollar Security is hiring infosec enthusiast. Apply ASAP. Connect at
> chall.ctf-ehcon.ml:32104
## Solution
This application just has register function
Use Burp Suite to intercept the request.
\- As we see, body of the request is XML
\- The response has the `username` has sent before
\--> This might contain XXE vulnerability
The first we try to read a file such as `/etc/passwd`
```xml
]>
&ext;
none
```
That's good, continue reading other files such as `flag.txt`, `flag.php`...
but I get nothing.
When I'm trying to list directory, I receive a strange response having a
newline character `\n`
Nice, use another method to read or list directory. Because I knew this
application use `PHP`, therefore I use PHP wrapper to read file
\- File `flag.php` is guessed
```xml
]>
&ext;
none
```
Okay good response, take this to base64 decode. Read this code a bit
\- It takes param `content` in request using `POST` method
\- Put `content` into created file with given `content`
\- Pass 2 file `.html` and `.pdf` to `/var/www/html/files/`
```php
```
What did I get through this snippet code?
\- We can put our payload into a file `html`
\- A new directory `/var/www/html/files/`
Well, observer new directory a bit
Now, how can we capture the flag with controlable data HTML? Can we read file
or list directory?
We can definately do it with `iframe` tag in HTML
\--> LFI with iframe
Replace body of `POST` method from XML to `content`
My payload:
\- Diretory listing of `/`
After send the request, F5 the application we will get new files
Nice, check out content of file `result.pdf`
Where is the flag? Ah, it's in `/ctf/`. List directory in `/ctf/`
The flag was captured ??
```
Flag is : EHACON{lf1_@nd_xx3_1s_fun}
```
Original writeup (https://github.com/greybtw/write-up-
CTF_2021/blob/master/eHaCON%20CTF%202K21/Include%20me.md).