# XXE Infiltration Lab

Q1) Knowing which open ports have been discovered by the attacker allows us to understand which services are exposed and potentially targeted. Can you provide the highest numbered port open on the victim web server?

```
tcp.flags.syn == 1 and tcp.flags.ack == 1
```

<figure><img src="/files/71IbD2rJ9C7aBE1w8EQH" alt=""><figcaption></figcaption></figure>

```bash
tshark -r XXEInfiltration.pcap -Y "tcp.flags.syn == 1 and tcp.flags.ack == 1" -T fields -e tcp.srcport | sort | uniq
```

<figure><img src="/files/bx7YCEos4n0FaLZvkliz" alt=""><figcaption></figcaption></figure>

Answer:  3306

Q2) By identifying the vulnerable PHP script, security teams can directly address and mitigate the vulnerability. What's the complete URI of the PHP script vulnerable to XXE Injection?

```
http contains "<?xml"
```

<figure><img src="/files/oZXbSS8td0gNSGQY4HUf" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/0CDMOzTS14bPqGq1AtjB" alt=""><figcaption></figcaption></figure>

Answer: /review/upload.php

Q3) To construct the attack timeline and determine the initial point of compromise. What's the name of the first malicious XML file uploaded by the attacker?

<figure><img src="/files/1kIqUzuPh6plR6DojQNr" alt=""><figcaption></figcaption></figure>

Answer:  TheGreatGatsby.xml

Q4) Understanding which sensitive files were accessed helps evaluate the breach's potential impact. What's the name of the web app configuration file the attacker read?

```
http.response.code == 200
```

<figure><img src="/files/2LnyVtzdFzuj4Zt89tZL" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Bwh16CpnwnnCMZiC1g3G" alt=""><figcaption></figcaption></figure>

Answer:  config.php

Q5) Determining the extent of the breach, what's the password of the compromised database user?

```
http.response.code == 200
```

<figure><img src="/files/9mwIshr3IjalcIFDtYVW" alt=""><figcaption></figcaption></figure>

Answer:  Winter2024

Q6) Following the database user compromise. What's the UTC timestamp of the attacker's first connection with the MySQL server in attempt to utilize the compromised credentials?

The attacker get the username and password for the database at 2024-05-31 12:03:12.

<figure><img src="/files/u0HaUg3SXfPd4Rd1uhlX" alt=""><figcaption></figcaption></figure>

```
tcp.port == 3306
```

<figure><img src="/files/J6qZfDwHNMkUY3rBGJ45" alt=""><figcaption></figcaption></figure>

Answer:  2024-05-31 12:08:49

Q7) To eradicate the threat and prevent further unauthorized access, can you identify the name of the web shell the attacker uploaded for remote code execution and persistence?

```
http.response.code == 200
```

<figure><img src="/files/mwIVSJJxq5f5qsegSGTG" alt=""><figcaption></figcaption></figure>

Answer:  booking.php


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/xxe-infiltration-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.