Web Exploitation
Last updated
Last updated
png-wizard-v3 (8 solves)
Now with support for modern image formats!
http://png-wizard-v3.hsctf.com
When we try to upload SVG file the response is Error converting file: Unknown image kind .PNG
.
By checking on reportlab 3.6.12
source code we can see that the error caused by invalid format/extension for saved file. Valid format should be PNG not .PNG .
Loooking at source code, we can see that there is XXE vulnerability while parsing the SVG data. But since we can't download the rendered file we can't do common XXE.
Another information we have that there is error verbose indicating what is the caused of the error. So the idea is we try to use this error verbose to leak information from system. Payload reference : https://balsn.tw/ctf_writeup/20190622-googlectfquals/
Flag : flag{are_you_really_a_wizard_if_you_dont_use_magick}