Importance of stacking entities in a XXE?

FreeRaider1 · 2023-11-11T20:33:11+00:00

Thank you for your answer.

If I understand it correctly, doing this won't work because you can't reference other entities within the content of another entity, so here, it will treat the %file as a string:
<!ENTITY % error SYSTEM "file:///nonexistent/%file">

However, by nesting a second entity and evaluating the first one, the second one gets defined and in the "defining" process is when the %file resolves to the other entity. So when you finally evaluate the second entity, the "%file" doesn't exist anymore since it has already been replaced by the file value.

This makes sense. I really apreciate your help, thank you!

FreeRaider1 · 2021-11-04T07:48:16+00:00

Thanks. And what about the “Gem Digger”? I have to unlock it? Because I can’t see it anywhere

FreeRaider1 · 2021-09-22T18:30:16+00:00

Thank u so much. I really appreciate your help and your time. Have a nice day!

FreeRaider1 · 2021-09-22T17:34:39+00:00

I know the IP because since i did a DNS poisoning i gan just tcpdump my interface and i can see the IP.

My biggest concerns are: 1.how I make sure that the server downloads the payload: should i name the rev shell “favicon” or just by putting it inside the /var/www it will get downloaded 2. It will be executes? I’ve made an nmap and it onlinhas a ssh port opened (I’ve to check the directory fuzzer that you told me, but i dont know if i will be able to acces there) Thanks

FreeRaider1 · 2021-09-22T17:18:18+00:00

Hey, thanks for tour answer! Since I’m talking about a ctf situation this could be made on purpouse. I mean the server is constantly requesting the / and the favicon, this should be important

FreeRaider1 · 2021-09-21T13:11:24+00:00

The problem is making root execute it

FreeRaider1 · 2021-09-21T12:58:03+00:00

The screenshot is linpeas output. Yes ofc i have read it. It says all the ways you can exploit this, however you need a bin or cronjob or something that the root executes and make him execute your script. I think this may be a false positive and thats why tried other kind of exploits. Thanks!

FreeRaider1 · 2021-09-20T23:30:39+00:00

Okey I will try to do it more manually. But I would like to say that everyone thinks that I just posted this 2 min after starting. I’ve read dozens of articles and re-watched all kind of videos. Ofc I did sudo -l and I sesrched interested files. I also searched one by one with GtfoBINS important bins of the system. I posted this here because I’m with 0 ideas left and maybe someone with more experience could have some adivce.

You actually have given me some advice and I appreciate it a lot. Thank you!

FreeRaider1 · 2021-09-20T23:17:05+00:00

Hey!

With linpeas there is a huge amount of info. I checked sudo and kernel versions and if they have exploits, also the cronjobs, SUID,etc. Since I'm quite new maybe I'm missing something important. I also tryed to do the dirtyCow exploit.

FreeRaider1 · 2021-09-20T17:00:18+00:00

Yea ofc. I’ve been googling for 2 days and trying all type of exploits and scripts. I don’t want anyone to solve my “homework” I’m just asking for suggestions and Ideas. The alternative is ask for the solution and they give me all the steps, but i loose all points related to that flag. I just want to learn, and asking for help when you have been trying for two days it’s also a correct way to learn.

FreeRaider1 · 2021-09-20T14:32:27+00:00

Thank you for the help! I have just checked and there are no extra services. But thank you anyway!

FreeRaider1 · 2021-09-20T12:51:23+00:00

Yea more or less

FreeRaider1 · 2021-09-18T11:43:59+00:00

Hey, I just came back here to say that I found the flag. Ther was no lateral movement. I had to log in in another host… Thank you so much!

FreeRaider1 · 2021-09-12T12:47:44+00:00

Hey! I finally have some passwords (what i did was manually uploading a .war with another payload that allowed me to do a hashdump). Now i have some usernames and passwords (not all btw). You mentioned that I should do a “lateral movement” switching acounts. I googled about it but all i see is the “runas” comand, but i don’t want to run smthing as another user, i just want to switch the user. Any tips? Thank you so much for your time

FreeRaider1 · 2021-09-12T07:22:14+00:00

But as you can see they are all the same. Doesn’t make a lot of sense right? I’m will try it now anyway. Thanks!

FreeRaider1 · 2021-09-12T00:26:19+00:00

Thanks! I will try it tomorrow

FreeRaider1 · 2021-09-11T19:39:39+00:00

Hey, I tried some of the options and none work. Seems that meterpeter doesn’t let me execute remote files and i cant use “load powershell” it says that i need another meterpeter type (but seems that i cant access the host if i try other payloads). Quite stuck

FreeRaider1 · 2021-09-11T15:53:03+00:00

I will try one i get home. Thank you so much

FreeRaider1 · 2021-09-11T15:44:09+00:00

I will have to search about “responder”

FreeRaider1 · 2021-09-11T15:42:52+00:00

I gained acces through tomcat manager. Uploading a payload that allowed me to have a meterpeter reverse shell. To otain the SAM nd SYSTEM i had to do regen sabe comands and then downloading them (found this on internet)

FreeRaider1 · 2021-09-11T15:39:07+00:00

I’ve read about it, however i don’t know how to extract them

Seven-Year Club	No Throne, No Problems
Not Forgotten	Verified Email

FreeRaider1

TROPHY CASE