This finding was an another private bug bounty program. The scope of the target was a ticketing android app (Prod). This app was a major Public Transport Ticketing app based out of Germany.
After logging into the android app and going through the account settings, I came across a “Change my data” option.
In the next screen, I have to modify my personal data
While saving the data, I found the following request was sent to the server
The request format was like 062.6.26#{some long data}.
This looks interesting. Next, I selected {some long data} and sent it to the decoder. I tried decoding it and found it was base64. The decoded data was an XML as shown in the below image
Great, next I included the following XXE payload
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE aa[<!ELEMENT bb ANY><!ENTITY xxe SYSTEM "file:///etc/passwd">]>
and called the defined entity &xxe;
from the body as shown in the following image:
Now, all that I needed to do was to encode the whole payload back to base64 format.
Finally, I replaced the payload in the original request and forwarded the request to the server. And, bang! I got the content of /etc/passwd
Since the application was using java, you can even list the directories by using the following payload
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE aa[<!ELEMENT bb ANY><!ENTITY xxe SYSTEM "file://">]>
I was mainly looking for SSH private keys but out of curiosity, I tried to fetch /etc/shadow
(feeling lucky :D). And, to my surprise, I got it (this is a rare case). The response makes it clear that it’s running as root.
I also found, the SSH private keys are too available in the /home/user/.ssh/
directory. This means we can also perform a full RCE on the system but full escalation wasn’t allowed in the program. So I didn’t attempt that and stopped my testing till here and reported the same.
That’s it for now. See you in the next article. Stay Curious ✌🏻
Thank you Bhavuk Jain , Kainat Kamal and jinen for proofreading.