# X marks the spot

## Problem

> Another login you have to bypass. Maybe you can find an injection that works? <http://mercury.picoctf.net:16521/>

## Solution

1. The challenge says this is an `XPATH` injection. We can try the standard payload `blah' or 1=1 or 'a'='a` from [OWASP](https://owasp.org/www-community/attacks/XPATH_Injection) and see if we can sign in. This results in a message saying `You're on the right path.`, so it looks like our query succeeded. However, we did not get redirected to an application so this looks like a "blind `XPATH` injection."
2. [HackTricks](https://book.hacktricks.xyz/pentesting-web/xpath-injection) is a good resource here. Their [`XPATH` Injection article](https://book.hacktricks.xyz/pentesting-web/xpath-injection) explains the basics of `XPATH` and even has an example script to execute a blind `XPATH` injection attack. This script was the basis of my [solve script](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/X%20marks%20the%20spot/script.py).
3. Essentially, when the `You're on the right path.` message is shown, we know our query returned a true value and otherwise our query was false. We can modify the query using `or` to join the login query with a special query and then tell `XPATH` to ignore the rest of the login query.
4. By using `' or string-length(//user[position()=3]/pass)=4 or ''='` we can check if the length of the `pass` field of the 3rd `user` element in document is 4. I guessed that the password field would be called `pass` because that is the name of the form element in the website's HTML. The `position()=3` was manually checked by scanning each position starting at 1. If the name of the field is unknown, a query such as the following could be used instead: `' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''='`. We can bruteforce the `4` in this case and determine the length of the 3rd user's password.
5. Once we know the length of the password/flag, we can use `' or substring(//user[position()=3]/pass,<position>,1)="<character>" or ''='`where `<position>` is the position in the string and `<character>` is the character we are checking. We loop though all the possible characters at position `0` until the `You're on the right path.` message is shown. When that loop is complete, we will know the first letter of the password/flag. We can continue doing this for each character of the password/flag until we reach the length we found in the previous step.
6. The [solve script](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/X%20marks%20the%20spot/script.py) executes the above scripts to determine the flag character by character. Depending on your internet connection (how fast you can send requests to the server), the script may take a few minutes (≈4 minutes maximum) to run.

### Flag

`picoCTF{h0p3fully_u_t0ok_th3_r1ght_xp4th_28cb0023}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://picoctf2021.haydenhousen.com/web-exploitation/x-marks-the-spot.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.