Cross-Site Scripting (XSS) Skills Assessment

Hi there, I am facing troubles with final assessment.
I want to identify proper payload for comment field, but it do not accept my comment event if I tested it before.
The madness is there in case after assessment server restart I cannot reproduce the same comment which previously worked for preview.
I also did not received any duplication message.

Thanks for any kind of help.

Hey!

Is the comment field the only one you are trying to exploit?
-onthesauce

I tried all of them.
Also set local env with wp in same version.
but still nothing :frowning:

Am I considering it correctly when I am expecting that admin is refreshing wp-admin/edit-comments.php ? so XSS has to be reflected to html rendering on this page.

I was able to print there complete html tags but they where only printed as a text and not considered as function elements.

email was the only field which I was not able to manipulate at all.

You are correct that the admin plays a part in it, but I think you are going down a rabbit hole. When you submit a regular comment, note that it sends a message saying that the admin must review the comment before it gets posted.

That means the goal is to attack the admin who is reviewing your comment. Don’t bother with the email field. If that hasn’t given you any ideas, then give the Session Hijacking section another read then start fresh on the Skills Assessment.

DM me if you are still stuck.
-onthesauce

2 Likes

ok,
here is my big learning form this easy lab.

!! CHECK OPEN PORT ON FIREWALL ON PROPER ADAPTER !!

@onthesauce Thanks you pointing me back to get test previous hijacking lab

– spoiler → setup local env for this lab is Alice’s way to ■■■■

actually more simple than that.

you can test the various versions of script as per examples in the tutorial: since nothing happens it’s a blind XSS so a php listener and just inject all fields with your script calling your IP on the php web server and you will get the cookie even with out script.js and all that. :o) Just keep the php terminal open and it will show up in the terminal.

Happy hunting

3 Likes

Totally stuck here. I set up the PHP listener on 0.0.0.0:80 with “php -S 0.0.0.0:80 -t ./” with the index.php and script.js in the current directory. However, I can’t seem to find a payload for XSS to call back to the server that’ll get triggered. Anyone able to provide some pointers? Do any of the XSS payloads from the module need customization beyond specifying the correct IP/port to call back to?

Figured it out. I was running into issues with getting the payloads to call back to my Kali Linux machine through the OpenVPN VPN channel. I tried redoing what I was doing using Pwnbox and things worked smoothly. There must have been some environmental issue with my network or host configurations.

I am having issues as well, I’ve tried retracing all of the steps from the previous lab and understand that the attack path is: XSS in the s parameter on the /assessment page, which is a blind xss vuln, which you will use to grab a cookie and use that cookie to login to the admin page through a session hijack where you input the cookie using the dev tools. However I cannot seem to get a callback, I’m not sure if I’m not configuring something properly but I have used both the pwnbox and my own machine through OpenVPN yet I still have got no such luck. Any and all help would be appreciated!

OK SMH. After spending hours on the lab i never clicked the “security blog” link to go to the comment section so uh… yeah i figured it out. Rlly easy, but uh dont make the same mistake i made guys, leaving this here so if anyone is coming here and had the same issue as me, hopefully this helps :slight_smile:

1 Like

same T_T

Don’t use port 80 there is already a service on it if you’re using Pwnbox try a different port ex. 8080 or 8009

If you are not getting connection back to your php listener you are testing the wrong input field. There is no need to use pwnbox, I thought something is wrong with the lab, but it is not I was just testing the wrong input field. DM for more help if needed.