Aug 9, 2020
OWASP Top 10 | TryHackME | Day 4
Learn one of the OWASP vulnerabilities every day for 10 days in a row.
Introduction
This writeup is about the OWASP Top 10 challenges on the TryHackMe Platform. I am going to explain in detail the procedure involved in solving the challenges / Tasks.
DAY 4: XML External Entity (XXE)
Learn one of the OWASP vulnerabilities every day for 10 days in a row. A new task will be revealed every day, where each task will be independent from the previous one.
Go to TryHackME website and you will get your deployable machine from the questions from the OWASP Top 10 room and you will need your own KALI LINUX MACHINE which you can get with:
A. Connect using OpenVPN
B. Use an in-browser Linux Machine
XML External Entity (XXE) walkthrough:
An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.
There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
1) An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.
2) out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.
Till task 13 you would get to know about XML External Entity (XXE) mainly the basics.
From Task 14 XML External Entity (XXE) Practical gets started.
First deploy the machine. After that, open OpenVPN and connect it with the config file you have imported. Then click on the link provided for testing out the vulnerability.
*Without connecting to the OpenVPN you won’t be able to connect the link provided for testing out the vulnerability. The page will not open.*
Next before starting with the questions. First deploy the machine IP in your browser. And you will be able to see a page like below:
Task 14 will have some basic questions on XML :
1. Full form of XML
a. Answer is : eXtensible Markup Language
2. Is it compulsory to have XML prolog in XML documents?
a. Answer is : No.
3. Can we validate XML documents against a schema?
a. Answer is : Yes .
To ensure the document is free of any errors.
4. How can we specify XML version and encoding in XML document?
a. Answer is : XML Prolog.
Every XML document mostly starts with what is known as XML Prolog.
Example: <?xml version=”1.0" encoding=”UTF-8"?>
Task 15 will have some basic questions on XML External Entity — DTD
DTD stands for Document Type Definition.
1. How do you define a new ENTITY?
a. Answer is : !ELEMENT
2. How do you define a ROOT element?
a. Answer is : !DOCTYPE
3. How do you define a new ENTITY?
a. Answer is : !ENTITY
Task 16 We’ll see some XXE payload and see how they are working.
Task 17 the real practicals will start from here.
1. Try to display your own name using any payload.
a. Go to the Payload area :
2. See if you can read the /etc/passwd
a. The payload to read System file is :
<?xml version=”1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM ‘file:///etc/passwd’>]>
<root>&read;</root>
(You can get it from the question number 16.)
b. Run it in the box XXE attack > put the above comment there and shoot it: You will be able to see /etc/passwd
3. What is the name of the user in /etc/passwd
a. From the previous task you will be able to see the root user.
b. In the end of the result we should get the username. If you are not able to see it then do right click and click on “view page source”.
c. Search for </main> You will be able to see the user name at the end. Answer is : falcon
4. Where is falcon’s SSH key located?
a. Answer is : /home/falcon/.ssh/id_rsa
5. What are the first 18 characters for falcon’s private key
a. Again go to the first tab XXE Attack payload area.
b. Use the below command: This command you will get from Task 16 but made a small change replace the ssh key location with /etc/passwd >>
<?xml version=”1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM ‘file:///home/falcon/.ssh/id_rsa’>]>
<root>&read;</root>
Hit the Submit button:
c. You will get the first 18 characters from the key. Answer is : MIIEogIBAAKCAQEA7b
Let me know your feedback friends on this article.
We will discuss about OWASP 5th vulnerability: Broken Access control on the next day.
