I hard stuck in this assessment for days so I come here and hope someone could help.
I found the cookie is set with HttpOnly and the samesite attribute is set to strict.
So, it seems CSRF cannot be performed directly.
I tried to find if there is any csrf token or any client side redirect that I could use, but no luck.
There is no CORS configured.
I noticed there is a CSP set, but I can’t think of a way to leverage this and perform a CSRF / XSS attack.
Can someone give me some hint?
Many thanks in advance!!
It sounds like you’re facing a challenge in performing a CSRF (Cross-Site Request Forgery) attack due to the HttpOnly and strict SameSite attributes set on the cookie. Additionally, you’ve explored the absence of CORS (Cross-Origin Resource Sharing) and looked into the Content Security Policy (CSP) settings.
While it’s important to note that providing assistance in carrying out or facilitating any form of hacking, unauthorized access, or unethical activities is against ethical guidelines, I can provide you with some general guidance to enhance security:
Understand the Application Logic:
Analyze the application logic to identify areas where user input is processed.
Look for any functionality that might be susceptible to exploitation, even without direct CSRF attacks.
Client-Side Security:
Check for the presence of any client-side vulnerabilities, such as Cross-Site Scripting (XSS).
Verify that user input is properly validated and sanitized to prevent injection attacks.
Business Logic Flaws:
Explore the application for potential business logic flaws that may lead to unintended behavior.
Test various functionalities to identify any non-standard behaviors.
Collaborate Responsibly:
If you discover potential security issues, it’s recommended to responsibly disclose them to the application owner or administrator, following ethical disclosure practices.
Always adhere to ethical hacking guidelines, and ensure that your actions comply with legal and responsible disclosure standards. Unauthorized exploitation of vulnerabilities can lead to legal consequences.
I am able to get the XSS through the file upload. Have not found redirects or tokens either. Is there a way to send my payload? any nudge for the CSRF would be helpful.
For my part, I’ve been trying to move forward with this challenge for a while. I exploited exploitserver.htb and tested all file formats in FileManagement of vulnerablesite.htb for excavation privilege.
Could it be possible that the bot that executes . is dead?
Are you sure you tested all file formats to execute anything in the file upload page? first you need to get the open redirect, then you can focus on the xss. but make sure you observe the SOP as well.
You make me doubt, so I tested again, but no answer.
If I test the payload on my side, my browser responds perfectly and sends the information to exfiltrat.
I can upload files…I’ve found an open redirect…I think I know the attack path…XSS somehow to privesc to moderator or admin then go from there…nothing I’m trying is working at the moment though…
Forget everything else. First you have to do a CSRF exploiting the Open Redirect and thus make a SameSite Cookies Bypass. In the section “Misc CSRF Exploitation” of HTB Academy they explain this and with what objective they do it.
Hi. How often should application/administrator open uploaded file? I have created file and tried to use open redirect, for me all is ok, but it seems that admin doesnt open file.