XXE Room

The first step in this room is to start the machine. Click on Start Machine and move on to the next task.

This first question in task 2 requires that you read about XML in Task 2.

The next question asks if XML is case sensitive and you get that from reading as well.

Again for the third question you can find the answer in the reading.

For the fourth question we find it in the reading.

No surprise here, you can find the answer too the final question in the reading

No surprise here, you can find the answer too the final question in the reading

Task 3, question #1 can be found in the text above the question.

You can find question #2, #3in the chart provided in the text for task #3.

The final question requires that you use your newfound XML skills. You know how to define a new element in XML.

It's !ELEMENT, so it should apply to a new entity as well.

For task #4, the only question asked is to enter /etc/passwd in the payload area on the website. You should see something like this:

For Task 5, question #1 you are asked to enter your name using the XML format. In task#4 you learned how to

replace a name in XML. Use that format to do it yourself. You should see something like this:

For question #2 you are asked in you can read the etc/passwd file. Try going to the website and enter /etc/passwd. We know from Task #4 we can read the file and you should see the password file.

For question #3 we can see as the end of the /etc/passwd file there is a user called Falcon.

Question #5. We know where the file is located so let's try that file path “home/falcon/.ssh/id_rsa.” in the website's payload area. It should show the Key file and you can grab the first 18 characters of it.