We covered a demo of XML External Entity Injection along with privilege escalation through exploiting Python eval function. This was part of HackTheBox BountyHunter CREST CRT Track.
BountyHunter is an easy Linux machine that uses XML external entity injection to read system files. Being able to read a PHP file where credentials are leaked gives the opportunity to get a foothold on system as development user. A message from John mentions a contract with Skytrain Inc and states about a script that validates tickets. Auditing the source code of the python script reveals that it uses the eval function on ticket code, which can be injected, and as the python script can be run as root with sudo by the development user it is possible to get a root shell.
Video Walkthrough
