Showing posts from January, 2022

INSOMNI'Hack CTF (PimpMyVariant) web challenge

Let's solve PimpMyVariant web challenge. First, we took a look at (robots.txt) file it show some useful endpoints (todo) file has nothing and we can't access the flag file direct, so we took a look at the endpoints (readme, new, log) all of these endpoints we can't access with normal hostname we have to use localhost or as a Host in the request to access these endpoints. The first endpoint is readme which returns a path to a file just remember this file. The second endpoint is (new) return a form in JS code which send a request to (/api) with XML format for the request body it seems that there is XXE here we tried to send the same request, we tried to read the flag file but we couldn't because there is a regex for the name parameter which should be length 32 and only alphabet lower and uppercase  and numbers with (_) and (-) so we can't read the flag using this XXE because the flag format include {}  and this will break the regex so let's try to read t