Greeting day everyone,
it’s been a while since the last Christmas that i would share this story with you guys but i didn't have time (too busy slacking off)
now time to buckle down and come back to the drawing board again ;)
XML/XXE Theory
XML injection is vulnerability that occurs when a user input is concatenated with XML code and manipulation of the application XML code becomes possible by the user.
XXE attacks are type of XML injection which occurs when the user in able to include external XML entities either through XML injection or providing an XML file directly to the web application.
For example here a sniped code for PoC exploit :
Assignment :
During a pentest, i was auditing a web application which hosting documents and files in order to share it between the the employees (like SharePoint).after finding some XSS/CSRF bypass, there was a feature of uploading Microsoft document like .Docx.
at that moment i remember one of my friend who hacked into Facebook server just by uploading his resume with embed XML code.
Thanks to @bbuerhaus and @nahamsec for making life much easier by hosting an XXE service which can generate the Microsoft files with XXE pre- defined payload.
my first payload looks like :
and at that moment i was astonished because i got a hit from the server who handle the authentication WTF !!
now, i got a nice XXE but wait ..what i can do ?
i knew that i was dealing with windows system …so i could’t for example read interesting path like /etc/passwd in Linux only thing was possible /windows/win.ini …but we could do better right ;)
my dear friend @topotam77 was sitting just near to me and he told me at that time :
“the most important thing about windows is NTLM hashs”
it’s was a like brilliant idea because with some hope we can play with theses hashes, so let’s drop this arrow and see where it will stick;)
this time i changed my payload pointing to my sharing IP address :
and B00M :D
hein what else ?
well backing to the enumeration phase, which i was able to identify other servers (handle the same role for a different environment ) from SSL certificate scanning, and the most important that the SMB messages were not signing !!
arming with these info, let’s rock and roll with SMBrelay :
- first let’s try to do some basic RCE : (Ping)
got a hit in my machine :)
- not satisfied …let create a user :)
after putting it on the Admin group i could do an RDP on the server :)
- well, at that moment i didn’t know that Impacket comes with nice feature which try to dump the SAM file if we just point the IP of the relaying server without any argument :
- at this point : i had the administrator hash …then is there any chance we could leverage our attack ? the answer is yes :)
let drop our hash in the network and see what we’ve got ;)
with smb scan module in Metasploit, i got 41 hits which great :)
- after using PSExec exploit on of these servers, one of them took my complete attention :
i remember my self when i saw the output of this command :
B00M !!
this account was a member of domain Admins , let’s impersonate his session by creating another user but this time : member of domain admin ;)
let’s verify our right :
with this account i could access to all the DC, PC and even dump the NTDS.DIT file which contain all the hashes of the users :D
Conclusion:
XXE vulnerability could be a devastating attack inside the corporate network, especially if all the conditions are met (parsing external XML entities + SMB messages not signing)
If you are dealing with JAVA , .NET some useful recommendations can be found under :