Tags: web jwt xxe
Rating:
# ContinuuOS
After analysis, two points were highlighted
* file /var/www/html/conf.xml which name we can see in comment in html
* authorization is done using xml
First of all, check for a [xxe vulnerability](https://portswigger.net/web-security/xxe)
![](https://i.imgur.com/FlaTXiK.png)
As we can see, the payload worked. This means that we can see the contents of the file specified in the comment.
![](https://i.imgur.com/MPMuu75.png)
Aaand we got the username, password and secret key of the server user
Login on web service. After authorization, we got access to the functionality of reading logs.
If you look in more detail, you can see that when we are requesting logs, the client side sends a javascript web token to the server.
![](https://i.imgur.com/gujpeqO.png)
let's see its content on the site [jwt.io](https://jwt.io). In json we see the path to the log file. Let's change it to ours and sign it with the key found earlier.
![](https://i.imgur.com/FEnDxIr.png)
Send this JWT to the server
![](https://i.imgur.com/MBiu9q7.png)
And we got the flag. Thanks for reading:)