HackTheBox — Web Attacks: From XXE Injection to Local File Disclosure

Identifying the vulnerability

We need to find a web page that parses XML format. From the target machine, fill out the form and submit it. Intercept the request with Burp Suite.

Continue with the request in Burp Suite, we see that the response displays user’s email. Now wqe know that we should inject our payload into the email field.

Try creating a new XML entity and try to put it in the email field to check if the application displays the injected entity.

<!DOCTYPE email [
  <!ENTITY test "This is a test Payload.">
]>

From the above image, (1) is the declaration of the entity named test, whose value is the string “This is a test Payload.” (2) is where we refer the test entity using & and ;. (3) is where the entity test is displayed. This is a clear indicator that the application is vulnerable to XXE Injection.

Exploiting the vulnerability

Local File Disclosure with XXE

In a regular Local File Disclosure attack, when we want to read a file, we use file:// filter. As the first instinct, we try file:///etc/passwd

However, this does not work as the file is not in XML format, which will eventually break the application. To work around, we use wrapper php://filter with convert.base64-encode function to encoded the content of the file we want to read. By doing this, the server will response a string, which does not break the application.

As seen in the above screenshot, (1) is where we inject our payload using php://filter wrapper. (2) is the response from the server, which is the base64-encoded string of the file index.php that we requested. Finally, on the right hand side, (3) shows the decoded/original version of index.php file.

Using the same technique, we can read the content of connection.php, which contains the flag for this challenge.

UTM1NjM0MmRzJ2dmcTIzND0wMXJnZXdmc2RmCg