Dirsearch reveled that the server has a folder located in http://10.10.10.91:5000/upload . It allows an upload of XML file with following criterias:
Construction of the said XML file to test for XXE vulnerability:
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><creds><Author>&xxe;</Author><Subject>mypass</Subject><Content>cunt</Content></creds>
We can see that we can read the content of the remote server file of /etc/passwd once we upload this file to the server:
We have a read access to the server. From this point on we can check for vulnerable entries to the system by looking up for eg. private ssh keys. By using Burp Repeater we can modify a post request to see the content of the private SSH Keys.