OpenCRX (Auth Bypass -> XXE)

We use white box techniques to gain authenticated access to openCRX. From there, we leverage both white and black box methods to exploit an XML External Entity Injection vulnerability and enumerate the server. We discover credentials for an HSQLDB instance and use Java language routines to achieve limited remote code execution, ultimately creating a command shell on the server.