 What's going on everybody? Welcome back. We're doing some more hack the box cyber apocalypse capture the flag Let's dive into it. We don't want to waste any time here. So I'll hop over to my computer screen I've got the interface set up in my little cyber apocalypse and jh party. Thanks again hack the box for let me do this So we're moving on to the e-tree Challenge the web category Let's check out the information here. It says after many years where humans work on the alien commands They've been gradually given access to some management applications. Can you hack this alien employee directory web app and contribute to the greater human rebellion? Let's do it. It looks like it has a downloadable part and a docker instance So I will go ahead and start up this instance They'll give me an IP address and a port that I'll go ahead and copy and open up in a new tab There we go. All right. Here is the employee directory get information on the military staff that maintain this district John doe looks like a placeholder value Let's go ahead and download that Data before we get cruising here and we'll see what this thing is made up of I'll make a directory for e-tree head over there and Let's move the downloads web e Tree they put it. Yeah, okay cool. Let's go ahead and unzip that so we know what we're up against Oh, we have a military XML file and There we go. Looks like this is data that it might end up using with district ID all Confidential confidential confidential confidential with the name of the individual the age rank and the kills Fantastic, that's not extremely helpful. There is another District ID confidential. Okay, just another one there but oh that has a self-destruct code with part of a flag It's the fake flag again just a placeholder but Looks like that is just a portion. Okay. There's another fragment down here the second half for a different self-destruct code For testing Gotcha, what does this do? If I hop back over here searching for John doe Tells me this military staff member doesn't exist. Can I search for that? Confidential string Military staff member doesn't exist. What? What the heck does exist? Can I use like a wild card sort of thing like a? Percent sign or asterisk? No, none of these There are no entries that I would be able to return. So Is there like a chtb? No Let me try to Kind of see what's going on. I'll hit f12 again to open up my network tab and the developer tools So when I send a request, I guess like anything this runs search looks like an API call that we post to and Search is just passed in as json is that that is that's what we supply Okay The response is gonna return out json Is this something that I can take advantage of can I abuse this like is there going to be some sort of injection here? How's this managed like a database? I'll try to sound like a single quote. Hello computer At 12 again if I send that oh that dies LXML e tree x path eval error. Oh This looks like a debug Response. Yeah, looks like a flask. Yeah, Python flask Python two guys. What you? What are you doing? I'm just kidding. I Mean I know for a capture the flag sometimes. It's necessary. So if this is doing some XML tree logic with an x path can I Like Leaks somewhere with that It gets a server error. Can I do like a or one equals one sort of thing? No that fails Do I close that what if I add another or in there? Or a equals something With another single quote. Oh Oh that returned something that said it it did exist because of my or one equals one Well, I can a equals whatever so that that or a equals anything that gets filled in should fail But my or one equals one Will succeed. So if I change that to or one equals two does that fail that does fail. Okay, so again some Logic Boolean blind thing that we're gonna end up doing we if we can't get any data Oh, we get is the error message true or false it exists or it doesn't exist then I guess we have some blind X path injection Can I do like a payloads all the things it do they have anything for x path check out their github X path injection. Yeah. Yeah. Yeah Blind exploitation that sounds good You can use a string Starts what is it? What is this? We just did this sort of thing or one equals one and The string kind of adds it in are these like random comment structures. I want to be able to like get a specific Field though like I want the self-destruct code. Do I reference one of those? Extract a character substring of Maybe I could use the starts with to see if it has that flag format But I want to I want to reference one specific thing. Oh, I closed the instance crap Where is it? Let's get to that so I Should script this actually we should probably start to fumble around. Let's create an attempt dot pi Let's get our shebang line in there Get requests going because we know we're doing some web stuff The url is this good and That post request that we send off actually gets to Search on API search. Yeah So our Request our equals. Let's store as a variable. Let's post to that url With the API search and then the data that we need to supply Should be That parameter search Will it take that just fine like search equals? Let's try that or one equals one set up. Let's do an or one equals One and then we'll let the single quote following it actually finish it If I print out r dot text, what do we get? Uh That failed what I Got an error message What this is like a work. So how do we get to the console? I didn't want to get to the console What's happening? None type has no attribute get Does it need it as like a JSON object? Can I pass in JSON like that with requests? I can Okay, so I just switched the data keyword argument to a JSON so that can pass it in now I get that does exist because we are using a valid Test there now. I can get it to not exist this member does not exist if I turn that to a false test so There's our logic, but I want to be able to retrieve Like a specific field can I do like empty string or How do we use it? Can we use starts with? Starts with needs a string Forward slash forward slash is how I can access it Self-destruct code is kind of what we're looking for so What follows that as an argument should be a C capital C right for chtb the flag format so it will terminate a single quote and it might terminate a A parentheses maybe Will we get a true response of this? No, we get an error fantastic How can I get a specific field x path x path injection Cheat sheet what do you got for me? Oh hack tricks has some good stuff. What do you got? Hack tricks is always handy Select all the nodes with the name node name selects from the root node Selects nodes and document from the current node that match the selection no matter where they are. That sounds good. I Think the slash slash is kind of what we need But to self-destruct code just doesn't exist I'm confused What is it? How does that do all names? String extraction it doesn't return out for me, which is a pain Do I use just a single forward slash to get a true statement? No, that still doesn't exist. Can I do an or? Invalid predicate invalid predicate Now I don't know if I'm actually getting that injection in or not because I'm not positive how it queries it What if I did an and No, it's still invalid predicate. How is it requesting this? I'm not too strong in x path. So I'm Kind of just fumbling around. I'll admit Find path username user text equals Those are defenses. No, I want to know how to beat it up Live learning everybody. Oh here. They do a thing. They use an ID No, I want to subscribe to your newsletter starts with They just use starts with like write out that error for me previously so What were those square braces? Is there a starts with start with No I want to use that starts with because that I think will let me like Determine how And what characters might follow they don't showcase it Oh, here's a pillow. Now. This is just the exact same payloads all the things starts with one entry what if we used an or and a starts with self Destruction code that's it self-destruct code yeah, and Starts with a C that gets the valid predicate. Oh, I have Can I do an or following that after just six oh, oh That works so I just cleaned the end kind of on my own I just added I close that predicate or the little function call I guess what starts with and then added another or so the or empty string and the original or empty string will fail But this starts with C Will return a true statement Now if I change that to a different letter it does fail, okay? Cool so We could start I guess to Find characters now Let's import string Let's do printable. Let's just do string printable to start kind of with broad strokes. Let's start with a while true Let's find leaked data make that an empty list Let's bring that above the while loop there and then let's for character in string up printable as Usual so we can kind of get the structure for a blind leak we know that our Character that we're in a test should end up sending this along So let's use an f-string where we test right in here the joined data for leak data Adding in the character that we add. Yeah, so then let's try and Print like trying Let's let's add in our join leak data again joined leak data with the character and Let's actually print out that r.json again just so we can see how this looks So staff member doesn't exist doesn't exist doesn't exist if we get to a capital C Will it behave? Yes The staff member Does exist perfect So this is our success field So we can say if r.json is equal to that then we will add That character to our leak data leak character leak data dot append character break so we continue to loop and Yeah Now let's try and add in that start of that Flag format and see how we do will we get a Next character maybe hopefully starting capital letters. Oh a T Okay An H It's going it's going We have a lift off. I Don't know how long this will go and Because oh gosh What happened? Oh the single quotes getting in the way The single quote will kill it let's Nerf some of these as we do string dot printable Dot replace the single quote with nothing and then let's loop through our copy of printable rather than that We know that the is kind of what we're gonna end up starting with in some leet speak here If it is the then we're probably gonna end up having an underscore kind of at the end there to denote a new or another word So let's see if that hits or if we run into another bad character I'm surprised the ampersand didn't nerf us, but that seems okay. Yeah underscore hit it. Okay, and then we get a three We're cruising. I'm gonna pause the video. I'm gonna pause the recording and let's see if we get any Ending here or another error Okay So I got up to The extra level With the start of a new lead speak work with the underscore I Think that can be I guess flag part one right Now how can we get that second part? This is kind of a pain Because If we do leak data with this specific payload We don't know if that second Half We'll start with a capital C Because the capital C is how we kind of knew that we were on the right one before Let's Try to ignore that one. So we'll test if the length of leak data is equal to zero and Character is equal to capital C Then we can continue because I want to run this exact same code again Just with this condition in here to determine. Hey, let's totally ignore that first entry of the self-destruct code or that fragment of the flag and Let's see if we can leak something else Following it. So let me try that. It's whining about my tabs and spaces So I'll convert everything to spaces there now. Let's try and run that one more time And let's see if it will start to latch on to that second self-destruct code Hopefully I don't know And I'm sad I don't think it will dang it How do we We got the first part, but how do we get the second part can So let's take this I guess Let's switch up the syntax. I Think we can use that like starts with syntax For like as an attribute of something. Let me let me Google x path starts with examples Yeah now if you Run it. Oh, yeah. Yeah. Yeah. If you run it on itself You can use a period To denote like this object so maybe That will work then we aren't specifying The leak data flag that we know thus far Will that one work any better for us? Nope, how does that fail? What the heck fails there? Do I have an error? I'm sure I have an error Let me nerf that bottom piece of code and let's print out R dot text to see if this errors Let's actually exit just on that so we stop all the loops and everything. Yeah, that that errors Or self-destruct code starts with Character, oh we it needed to end the Condition or that little attribute with the square brace How about that? Okay, that gets a valid response So now let's toggle this back in to do logic and check it and not exit. Let's see if we get something. Oh Get the number four Okay Part of me wonders if if that syntax that we just did when we did use the square braces like as an attribute And that's probably totally not the right word I Wonder if that would work just as well for getting the first part like If we just gave it that flag prefix is again something to start with yeah, I Don't know we could we could finagle it a little bit more if we wanted to but Goes to show that I need some more practice with doing X path stuff Did we get to the end here? Are we gonna hit a curly brace on this? No We got an underscore so Got something else. I will pause the recording and I'll get back to you once this is done leaking everything out All right, I see we hit a curly brace So I'm gonna I'm gonna say that's the end of the flag And this looks like access control and lead speak so Flag part two It's gonna be this Which means that our flag is CHT be the extra level access control nice Putting that all together oh geez I Think we did it. We got the flag Let's uh, let's try and submit this. Let's call it good. Maybe it looks like a flag to me Go ahead and submit flag Yeah All right another one down this was another kind of a Showcasing of a blind injection technique not with sequel this time, but with some x-path and I for one definitely need to get smarter on x-path syntax. I'm sorry for that fumble there But I think we got it and I'm curious how we could use the second payload that we kind of finagled If we were to use that which starts with again, but specifying that leak data for the beginning of our flag prefix Maybe that would work just a tad better But it worked like the renditions that we went through the iterations kind of this process that we were going through this This loop does let us do some blind injection with x-path and that helped us leak out the flag Leak out some other or whatever really really we wanted out of the XML document here So even if this was all confidential sure we can still pull out any code that we'd like at this point Nice we did it. That's that that is another challenge down and we were going through this ladies and gentlemen So I think that's it. Thanks so much for watching everybody. Thanks so much for hanging out I hope this was fun. I don't think I've done any videos on like x-path and x-path injection So I should totally get smart on it and and maybe showcase some good stuff But thanks so much for tuning in everybody. Hope you enjoyed this video if you did Please do all those YouTube algorithm things I would love if you would like to video subscribe Comment hit the bell etc that just super duper helps out the channel and let me know if you're liking this These style of videos if you're liking something's hacked a box cyber apocalypse Showcases. Thanks so much everybody. I love you. I'll see you in the next video. Take care You