Day 5: SOC-mas XX-what-ee?

• Visit the provided ip address in browser. There is a website hosted with the name of "WishVille".
• Open burp suite and capturing the web requests.
• On the hompage of the website there are three products. Click on View button of any product.
  
• On the next page there is an option for add that item into wishlist. Click on " Add to wishlist " button to add that item into wishlist.
  
• Now go the Cart by clicking on cart from top menu. Now you can see that item which you had added into wishlist. Click on " Proceed to checkout " button.
  
• Oh gosh!! It redirects into another checkout completion page. Fill some details and click on " Complete checkout " button.
  
• My wish is saved successful. I hope I would get my dream wish.
  
• Now open burp suite and check for the request /wishlist.php in http history. You can see that it is a post request containig some xml data in its header.
  
• Add fillowing code in starting of xml <!--?xml version="1.0" ?--> <!DOCTYPE foo [<!ENTITY data SYSTEM "/etc/hosts"> ]> and &data; into product. It would read the file from /etc/hosts as data entity. And you can use &data to get its value.
  
• Now we have to read the wishes, and we can read every wishes by using external entity. To read the wishes , read the files located at "/var/www/html/wishes/wish_1.txt"
  
• Send the request into intruder using Ctrl+i or Right click + Send to intruder.
  1. Goto intruder tab
  2. Select the number which is into the location of xml code.
  3. Click on add §
  4. Change the payload type to Number
  5. Set From = 1
  6. Set to = 20
  7. Click on start attack
  
• Check the length of responses. There is a different response lenght on payload 15. Check the actual response and get the flag out.

There is a CHANGELOG file that contains the logs of changes ot the website. Access the changelog to get the flag out.