swampCTF 2025 - SwampTech Solutions | MindCrafters CTF Team

Challenge overview

The challenge presents a web application for SwampTech Solutions with several interconnected vulnerabilities. The narrative involves an intern's final CTF challenge against "Albert the alligator" before the end of their internship.

Analysis

Initial website analysis

The initial landing page showed a typical corporate website for "SwampTech Solutions" with a login link. The page footer contained a humorous note about the site being "Powered by the finest minds in tech (and a single caffeine-fueled intern)," which aligned with the intern journal narrative.

Following the login link, we found a simple authentication form. Examining the page source revealed hidden credentials in an HTML comment: Login Credentials Comment

The comment exposed test user credentials: guest:iambutalowlyguest

Initial access

Using the discovered credentials, we logged in and accessed the guest dashboard.

The guest dashboard contained:

A welcome message
A link to the admin page (which we couldn't access as a guest)
A form for API actions

Examining the request in Burp Suite revealed a cookie named user with the value 084e0343a0486ff05530df6c705c8bb4: Cookie Analysis

Privilege Escalation

We recognized that the user cookie value was an MD5 hash of guest. To elevate privileges, we:

Calculated the MD5 hash of admin: 21232f297a57a5a743894a0e4a801fc3
Modified the cookie value in the browser
Attempted to access the admin page again

This successfully authenticated us as an admin, and we gained access to the admin dashboard:

Admin dashboard exploration

The admin dashboard revealed additional functionality not available to regular guests:

A file checking tool
Admin-specific API actions
A hidden XML form for employee "check-ins"

Using the file checker feature, we confirmed the existence of a flag file: Flag File Exists

Vulnerability discovery and exploitation

Hidden XML form analysis

Examining the page source revealed a hidden form with obfuscated JavaScript. After deobfuscation, we discovered it was creating XML data from form inputs:

document
  .getElementById('xmlForm')
  .addEventListener('submit', function (_0x2c2e32) {
    let _0x280be6 = document.getElementById('nameInput').value,
      _0x5c6cc6 = document.getElementById('emailInput').value,
      _0x4c14fc =
        '<root>\n    <name>' +
        _0x280be6 +
        '</name>\n    <email>' +
        _0x5c6cc6 +
        '</email>\n</root>'
    document.getElementById('submitdataInput').value = _0x4c14fc
  })

This code creates an XML structure from the name and email inputs and assigns it to a hidden field called submitdata.

XXE vulnerability exploitation

Recognizing that the application processed XML data, we tested for XML External Entity (XXE) injection vulnerability. A successful test retrieving /etc/passwd confirmed the vulnerability:

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root><name>&xxe;</name><email>[email protected]</email></root>

Flag retrieval

Since we couldn't read the flag file as it is, we crafted an XXE payload using PHP's filter mechanism with Base64 encoding: XXE Payload and Response

submitdata=<%3fxml+version%3d"1.0"%3f><!DOCTYPE+root+[<!ENTITY+xxe+SYSTEM+"php://filter/convert.base64-encode/resource=flag.txt">]><root><name>%26xxe%3b</name><email>test%40test.com</email></root>

This returned a Base64-encoded string in the response: c3dhbXBDVEZ7VzByazFuZ19DSDQxNV9<r>_FuN}

Decoding this Base64 string revealed the flag: Base64 Decoding

Final flag: swampCTF{W0rk1nG_CH415_<r>_FuN}

Key takeaways

Insecure Authentication

The application used unsalted MD5 hashes for role verification in cookies, making it trivial to forge admin credentials.

Information Disclosure

Test credentials were exposed in HTML comments and hidden apis and form were obfuscated in the source code.

XXE Injection

The application failed to properly secure XML processing, allowing an attacker to read arbitrary files from the server.