Day 5

SOC-mas XX-what-ee?

Last updated 4 months ago

Was this helpful?

Day 5

SOC-mas XX-what-ee?

Welcome to Day 5 of TryHackMe's Advent of Cyber (AoC) 2024! Today, we dive into an intriguing challenge: exploiting an XXE (XML External Entity) vulnerability in a web application. Let’s unravel what XXE is, how to exploit it, and discover the hidden flags.

What is XXE?

XML (eXtensible Markup Language) is a widely used format for data exchange. It employs entities, placeholders that can reference external resources or data. If the XML parser of an application is improperly configured or unsanitized, attackers can manipulate these entities to:

Access sensitive files.
Execute arbitrary commands.
Leak server-side information.

This vulnerability is known as XXE Injection.

Let's Begin:

Start the machine and access the MACHINE_IP;

Visit http://MACHINE_IP/product.php to browse items and add them to their wishlist.

After adding items, users can view their wishlist at http://MACHINE_IP/cart.php. From there, they proceed to checkout. Enter any details and then submit their wish. A confirmation message, such as "Wish #21 saved," appears. Its a clickable link, but its only accessible to admin. We need to bypass the restriction and access wishes to complete the challenge

Open Burpsuite and setup Proxy,
Browse through the website and again try adding items and accessing the wishes

On the HTTP history tab of Proxy, when you visit the URL, http://MACHINE_IP/product.php, and click Add to Wishlist, an AJAX call is made to wishlist.php with the following XML as input.

The request contains XML being forwarded as a POST request, as shown below:

Send this POST request to Repeater for furthe analysis.

To exploit this vulnerability, we modify the XML payload as follows:

xmlCopy code<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/etc/hosts"> ]>
<wishlist>
  <user_id>1</user_id>
  <item>
    <product_id>&payload;</product_id>
  </item>
</wishlist>

Here, we define an external entity payload that points to /etc/hosts. When processed, the application replaces &payload; with the file’s content.

Change the payload to access the wishes:

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/var/www/html/wishes/wish_1.txt"> ]>
<wishlist>
	<user_id>1</user_id>
	<item>
	       <product_id>&payload;</product_id>
	</item>
</wishlist>

Here the payload points to wish_1.txt

Iterate through the wishes to get the first flag.

Start with wish_1.txt.
Increment the number (e.g., wish_2.txt, wish_3.txt) to uncover all wishes.

Try going to the change log to find the second flag.

To protect against XXE vulnerabilities:

Disable External Entity Processing: Set libxml_disable_entity_loader(true) to prevent the XML parser from processing external entities.
Validate and Sanitize Input: Ensure only trusted XML input is processed, filtering out dangerous constructs.

Questions

1.What is the flag discovered after navigating through the wishes?

A: THM{Brut3f0rc1n6_mY_w4y}

2.What is the flag seen on the possible proof of sabotage?

A: THM{m4y0r_m4lw4r3_b4ckd00rs}

Thank you!

By identifying and exploiting XXE vulnerabilities, we've taken another step toward becoming skilled cybersecurity defenders. Stay vigilant and keep exploring!

PreviousDay 4 NextDay 6

Last updated 4 months ago

Was this helpful?

What is XXE?

Access sensitive files.
Execute arbitrary commands.
Leak server-side information.

This vulnerability is known as XXE Injection.

Let's Begin:

Start the machine and access the MACHINE_IP;

Visit http://MACHINE_IP/product.php to browse items and add them to their wishlist.

Open Burpsuite and setup Proxy,
Browse through the website and again try adding items and accessing the wishes

On the HTTP history tab of Proxy, when you visit the URL, http://MACHINE_IP/product.php, and click Add to Wishlist, an AJAX call is made to wishlist.php with the following XML as input.

The request contains XML being forwarded as a POST request, as shown below:

Send this POST request to Repeater for furthe analysis.

To exploit this vulnerability, we modify the XML payload as follows:

xmlCopy code<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/etc/hosts"> ]>
<wishlist>
  <user_id>1</user_id>
  <item>
    <product_id>&payload;</product_id>
  </item>
</wishlist>

Here, we define an external entity payload that points to /etc/hosts. When processed, the application replaces &payload; with the file’s content.

Change the payload to access the wishes:

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY payload SYSTEM "/var/www/html/wishes/wish_1.txt"> ]>
<wishlist>
	<user_id>1</user_id>
	<item>
	       <product_id>&payload;</product_id>
	</item>
</wishlist>

Here the payload points to wish_1.txt

Iterate through the wishes to get the first flag.

Start with wish_1.txt.
Increment the number (e.g., wish_2.txt, wish_3.txt) to uncover all wishes.

After discovering the vulnerability, McSkidy immediately remembered that a CHANGELOG file exists within the web application, stored at the following endpoint: . After checking, it can be seen that someone pushed the vulnerable code within the application after Software's team.

Try going to the change log to find the second flag.

To protect against XXE vulnerabilities:

Disable External Entity Processing: Set libxml_disable_entity_loader(true) to prevent the XML parser from processing external entities.
Validate and Sanitize Input: Ensure only trusted XML input is processed, filtering out dangerous constructs.

Questions

1.What is the flag discovered after navigating through the wishes?

A: THM{Brut3f0rc1n6_mY_w4y}

2.What is the flag seen on the possible proof of sabotage?

A: THM{m4y0r_m4lw4r3_b4ckd00rs}

Thank you!

By identifying and exploiting XXE vulnerabilities, we've taken another step toward becoming skilled cybersecurity defenders. Stay vigilant and keep exploring!