Lab 142 — TalentFlow — XXE via Resume Upload

hackadvisor

Task: Applicant tracking system accepts .docx resume uploads and parses XML content with external entity resolution enabled. Solution: Craft malicious DOCX with XXE payload in word/document.xml referencing file:///root/flag.txt; server resolves entity and displays file contents in confirmation page resume preview.

lfi file_read file_upload docx xxe xml alpine_linux honeypot_flag resume_upload

xxe_file_readexternal_entity_injectionin_band_exfiltrationdocx_xxemalicious_docx_upload

$ ls tags/ techniques/

lfi file_read file_upload docx xxe xml alpine_linux honeypot_flag resume_upload

xxe_file_readexternal_entity_injectionin_band_exfiltrationdocx_xxemalicious_docx_upload

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 139 — HireFlow — XXE via XML Application Intake— hackadvisor
[web][Pro]Lab 291 — HireFlow — Broken Authorization in Premium Feature Endpoints— hackadvisor
[web][Pro]Lab 102 — HireScreen — Indirect Prompt Injection via Resume Description— hackadvisor
[web][Pro]Lab 144 — InsightForge — Blind XXE via XML Data Import— hackadvisor
[web][Pro]Lab 145 — RankPulse — XXE via Sitemap XML Parsing— hackadvisor