PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Web Exploitation

X marks the spot

PreviousWho are you?

Last updated 2 years ago

Was this helpful?

Problem

Another login you have to bypass. Maybe you can find an injection that works?

Solution

  1. The challenge says this is an XPATH injection. We can try the standard payload blah' or 1=1 or 'a'='a from and see if we can sign in. This results in a message saying You're on the right path., so it looks like our query succeeded. However, we did not get redirected to an application so this looks like a "blind XPATH injection."

  2. is a good resource here. Their explains the basics of XPATH and even has an example script to execute a blind XPATH injection attack. This script was the basis of my .

  3. Essentially, when the You're on the right path. message is shown, we know our query returned a true value and otherwise our query was false. We can modify the query using or to join the login query with a special query and then tell XPATH to ignore the rest of the login query.

  4. By using ' or string-length(//user[position()=3]/pass)=4 or ''=' we can check if the length of the pass field of the 3rd user element in document is 4. I guessed that the password field would be called pass because that is the name of the form element in the website's HTML. The position()=3 was manually checked by scanning each position starting at 1. If the name of the field is unknown, a query such as the following could be used instead: ' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''='. We can bruteforce the 4 in this case and determine the length of the 3rd user's password.

  5. Once we know the length of the password/flag, we can use ' or substring(//user[position()=3]/pass,<position>,1)="<character>" or ''='where <position> is the position in the string and <character> is the character we are checking. We loop though all the possible characters at position 0 until the You're on the right path. message is shown. When that loop is complete, we will know the first letter of the password/flag. We can continue doing this for each character of the password/flag until we reach the length we found in the previous step.

  6. The executes the above scripts to determine the flag character by character. Depending on your internet connection (how fast you can send requests to the server), the script may take a few minutes (≈4 minutes maximum) to run.

Flag

picoCTF{h0p3fully_u_t0ok_th3_r1ght_xp4th_28cb0023}

http://mercury.picoctf.net:16521/
OWASP
HackTricks
XPATH Injection article
solve script
solve script