Description
Obtain RCE on the host test-webserver.edu.stf (10.124.1.242) through XXE.
To get the flag, run the script /home/rceflag.
<aside> 💡
Honestly, I solved this challenge in an UNINTENDED way. Although the challenge hints at exploiting the XXE vulnerability, I discovered other vulnerabilities that were easier and more straightforward for obtaining the flag.
</aside>
First, I ran Nmap scan to identify open ports on the target system.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:19:11:9c:13:70:a4:75:fa:84:5c:31:32:77:18:2b (RSA)
| 256 40:6f:7d:21:1e:fc:ac:8f:95:8e:8c:4b:9c:58:23:70 (ECDSA)
|_ 256 1c:c3:11:49:1a:9e:41:7a:6b:6a:09:bf:89:61:3c:4f (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Offline
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 16.92 seconds
Next, I scanned for directories using ffuf, but didn't find anything interesting
┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -u <http://test-webserver.edu.stf/FUZZ> -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
/'___\\ /'___\\ /'___\\
/\\ \\__/ /\\ \\__/ __ __ /\\ \\__/
\\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
\\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
\\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\
\\/_/ \\/_/ \\/___/ \\/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : <http://test-webserver.edu.stf/FUZZ>
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
javascript [Status: 301, Size: 337, Words: 20, Lines: 10, Duration: 205ms]
server-status [Status: 403, Size: 287, Words: 20, Lines: 10, Duration: 212ms]
:: Progress: [62281/62281] :: Job [1/1] :: 194 req/sec :: Duration: [0:05:38] :: Errors: 0 ::
Next, I scanned for files, found something..
┌──(kali㉿kali)-[~/Desktop]
└─$ dirsearch --url <http://test-webserver.edu.stf>
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/Desktop/reports/http_test-webserver.edu.stf/_25-09-07_12-22-37.txt
Target: <http://test-webserver.edu.stf/>
[12:22:37] Starting:
[12:22:46] 403 - 287B - /.ht_wsr.txt
[12:22:46] 403 - 287B - /.htaccess.orig
[12:22:46] 403 - 287B - /.htaccess.sample
[12:22:46] 403 - 287B - /.htaccess.bak1
[12:22:46] 403 - 287B - /.htaccess.save
[12:22:47] 403 - 287B - /.htaccess_extra
[12:22:47] 403 - 287B - /.htaccess_orig
[12:22:47] 403 - 287B - /.htaccess_sc
[12:22:47] 403 - 287B - /.htaccessBAK
[12:22:47] 403 - 287B - /.htaccessOLD
[12:22:47] 403 - 287B - /.htaccessOLD2
[12:22:47] 403 - 287B - /.htm
[12:22:47] 403 - 287B - /.html
[12:22:47] 403 - 287B - /.htpasswd_test
[12:22:47] 403 - 287B - /.htpasswds
[12:22:47] 403 - 287B - /.httr-oauth
[12:22:49] 403 - 287B - /.php
[12:22:49] 403 - 287B - /.php3
[12:23:43] 301 - 337B - /javascript -> <http://test-webserver.edu.stf/javascript/>
[12:24:05] 200 - 29B - /README.md
[12:24:08] 403 - 287B - /server-status/
[12:24:08] 403 - 287B - /server-status
[12:24:17] 200 - 5B - /test.txt
Task Completed
When accessing the README.md file, I found it contained hints related to XXE vulnerability
libxml_disable_entity_loaderis a PHP function that controls whether the XML parser in PHP is allowed to load external entities (like <!ENTITY> from a DTD)
So, this might be a hint for us to exploit the server using XXE attack.