Thanks for your reply. Yes, I was wrong to use delete all the time for XSS. Now I know how to use it the right way> The only thing now, every time I ended up with the same session cookie (from Julie Rogers)…
Can you explain the process you go through to get the session cookie for me? Once I know what you’re doing I can nudge you in the right direction. Don’t think you’re too far off. DM if you want.
How can I DM you?
If I reply on your email the content is visible in this blog as well.
SOLVED
Hey all, I am a bit stuck on this and did try most of the ideas and XSS form lecture.
I can get Julie’s auth-session/cookie both in base64 and clear via XXS and remote webservice. But I cannot get to redirect/share the part so I get the admin visit. did try to make XXS to http://minilab.htb.net/submit-solution etc.
I just need hint on how to utilise the submit-solution site???
NEVERMIND stepped away and came back with different mindset and it took 20 min after that. As sson a I understood/figured out the API role in the bigger picture it was easy. But great course. I have now finally finished the Bug Hunter Path.
Cheers
Hi everyone.
I’m in the same boat here…just used the XXS payload, visited the http://minilab.htb.net/submit-solution?url=xxx and get the AdminVisited = true BUT…don’t know how to actually get the admin click on the malicious link with the payload to steal the session cookie. Anyone to DM to discuss this or to give me a nudge in the right direction.
Even if I visit the malicious link from a private browser using the endpoint mentioned with the URL associated to it…no cookies at all…