Full Report
We recently ran our Black Hat challenge where the ultimate prize was a seat on one of our training courses at Black Hat this year. This would allow the winner to attend any one of the following: BlackOps – Our intermediate pentesting course Infrastructure Bootcamp – Introduction to pwning over the Internet Mobile Bootcamp – Introduction to mobile hacking Web Application Bootcamp – Introduction to web app hacking The challenge was extremely well received and we received 6 successful entries and numerous other attempts. All the solutions were really awesome and we saw unique attacks, with the first three entrants all solving the challenge in a different way.
Analysis Summary
This context describes a CTF-style challenge provided by SensePost, highlighting various exploitation techniques used by successful participants to retrieve flags. There is no specific traditional malware family or proprietary attack tool mentioned; rather, the context focuses on common web application vulnerabilities and the exploitation techniques used against them.
# Tool/Technique: External Entity Injection (XXE through RSS/XML Feed Parsing)
## Overview
This technique involves exploiting an application feature designed to process external XML feeds (like RSS) or internal XML data submission endpoints. By injecting malicious XML External Entity (XXE) references, an attacker can force the server-side XML parser to disclose local file contents or exfiltrate data over the network.
## Technical Details
- Type: Technique
- Platform: Server-side application parsing XML (Likely Java, .NET, PHP, or Python backend)
- Capabilities: File disclosure (local file inclusion via parser), Data exfiltration over network (Out-of-Band methods).
- First Seen: Not applicable (Core vulnerability, known since at least 2002, widely publicized in 2012-2014 context).
MITRE ATT&CK Mapping (Based on File Disclosure and Data Exfiltration):
- TA0009 - Collection
- T1005 - Data from Local System
- TA0010 - Exfiltration
- T1567 - Exfiltration Over Web Service (Used in OOP Exfiltration step)
## Functionality
### Core Capabilities
- **File Disclosure (Flag 1):** Injecting self-closing XML entities referencing local files (`/home/spuser/flag1.txt`) directly into the rendered RSS feed output, leveraging the web application's lack of sanitization on the parsed XML output.
- **Bypassing Output Limitations (Flag 2):** Using Out-of-Band (OOB) XXE techniques when direct output fails. This involves referencing an external Document Type Definition (DTD) hosted on an attacker-controlled server which forces the target server to make an HTTP request containing the target file's contents (Base64 encoded).
### Advanced Features
- **Data Exfiltration via OOB DTD:** Utilizing the `php://filter` wrapper combined with Base64 encoding (`php://filter/convert.base64-encode/resource=/path/to/file`) within the external DTD to safely encode sensitive data before transmission over HTTP to an external endpoint.
- **Encoding Bypass:** Using URL encoding (e.g., `%20`, `%26`) on XML special characters (`%`, `&`) when submitting HTTP requests to bypass application-layer decoding that might otherwise break the XML structure during parsing.
## Indicators of Compromise
- File Hashes: N/A (Payload delivery)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Target server making outbound connections to external, attacker-controlled web servers (OOB exfiltration).
- Behavioral Indicators: Application attempting to resolve predefined external DTDs specified in incoming POST requests.
## Associated Threat Actors
- This technique is common across various threat actor types targeting web applications, including opportunistic attackers and sophisticated APT groups.
- **In this context:** Challengers (Espes, Vitaly, Sash) successfully leveraging this technique against the challenge environment.
## Detection Methods
- Signature-based detection: Signatures looking for `<!ENTITY` or `SYSTEM` keywords within submitted XML/POST data, especially when associated with file URI schemes (`file:///`).
- Behavioral detection: Monitoring outbound network requests initiated by web application processes that are not typical for normal operation (e.g., HTTP GET requests to external arbitrary domains observed during data processing).
- YARA rules: Not provided, but custom YARA rules could target XML structures exhibiting XXE patterns.
## Mitigation Strategies
- Prevention measures: Completely disable DTD processing (the primary cause of XXE) in the XML parser configuration (e.g., setting features like `FEATURE_SECURE_PROCESSING` to true).
- Hardening recommendations: Implement strict input validation and sanitization for all XML payloads. Never parse XML from untrusted sources without disabling external entity resolution.
## Related Tools/Techniques
- **SQL Injection (SQLi):** Attempted by challengers against the login page.
- **Bruteforce:** Attempted against the login credentials.
- **Remote Code Execution (RCE) via XML/PHP Injection (Flag 3):** Exploiting dynamic PHP page generation based on XML feed ingestion, using CDATA tags (`<![CDATA[ ... ]]>`) to shield PHP code from the XML parser, allowing the injected PHP to execute when the resulting page is viewed.
***
# Tool/Technique: Remote Code Execution via XML/PHP Injection in Dynamic Page Generation
## Overview
This technique exploits a flaw where user-supplied XML feed data is used to dynamically generate a new PHP page, potentially containing rendered output or user-defined content. By using XML trickery (like CDATA sections), attackers can inject executable PHP code that runs when the generated page is accessed.
## Technical Details
- Type: Technique
- Platform: Web server running PHP that dynamically generates and serves PHP files based on user input.
- Capabilities: Arbitrary code execution on the web server operating system.
- First Seen: As a general technique, highly dependent on specific application logic.
MITRE ATT&CK Mapping:
- TA0002 - Execution
- T1059.002 - Command and Scripting Interpreter: PowerShell (If the shell was PHP/Web shell)
## Functionality
### Core Capabilities
- **Code Injection:** Inserting PHP code (e.g., `<?php system($_GET['cmd']); ?>`) directly into the dynamically generated PHP response file.
- **Bypassing XML Parsing:** Using **CDATA sections** (`<![CDATA[ ... ]]>`) to wrap the PHP payload. This tells the XML parser to treat the contents as raw text rather than XML markup, allowing angle brackets to pass through without triggering parser errors.
### Advanced Features
- **Post-Injection Access:** Navigating directly to the newly created malicious PHP page URL to trigger the execution of the injected code.
- **Verification:** Using known XXE techniques (from Flag 1) to read the contents of the file where the shell payload was injected (`/home/spuser/wof.txt` was likely the target file to confirm success on the Wall of Fame).
## Indicators of Compromise
- File Hashes: N/A
- File Names: Potentially newly created, unrecognized `.php` files on the server accessible via the web root.
- Registry Keys: N/A
- Network Indicators: N/A (Local execution leading to file write/system change).
- Behavioral Indicators: Application writing new executable scripts (`.php` files) to the file system based on input data.
## Associated Threat Actors
- General web attackers focused on achieving system access on vulnerable PHP platforms.
## Detection Methods
- Signature-based detection: Monitoring for PHP tags (`<?php` or short tags) appearing in data submitted to feed creation functions.
- Behavioral detection: File system monitoring detecting unexpected writes of executable scripts to web-accessible directories.
- YARA rules: Rules targeting content containing suspicious PHP functions within configuration or feed storage files.
## Mitigation Strategies
- Prevention measures: Never allow user-controlled input to directly influence the generation of executable code files. If dynamic content generation is required, ensure it is strictly validated, sanitized, and written only to safe, restricted handler scripts, not user-input-driven PHP files.
- Hardening recommendations: Disable dynamic file creation capabilities for untrusted users. Utilize Template Engines instead of direct string concatenation for page rendering.
## Related Tools/Techniques
- **XXE (See above):** Used here both as a diversion and a confirmation tool.
- **Web Shell Deployment:** The resulting injection creates a simple web shell used to confirm success.