2 :80 :443 XSS > admin

http://bankrobber.htb/
e-coin website

$ gobuster dir -u http://bankrobber.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/img                  (Status: 301) [Size: 338] [--> http://bankrobber.htb/img/]
/register.php         (Status: 200) [Size: 0]
/login.php            (Status: 302) [Size: 0] [--> index.php]
/index.php            (Status: 200) [Size: 8245]
/user                 (Status: 301) [Size: 339] [--> http://bankrobber.htb/user/]
/admin                (Status: 301) [Size: 340] [--> http://bankrobber.htb/admin/]
/link.php             (Status: 200) [Size: 0]
/css                  (Status: 301) [Size: 338] [--> http://bankrobber.htb/css/]
/js                   (Status: 301) [Size: 337] [--> http://bankrobber.htb/js/]
/examples             (Status: 503) [Size: 1060]
/generic.html         (Status: 200) [Size: 13343]
/notes.txt            (Status: 200) [Size: 133]
/logout.php           (Status: 302) [Size: 0] [--> index.php?msg=Succesfully logged out]
/elements.html        (Status: 200) [Size: 34812]
/licenses             (Status: 403) [Size: 1205]
/fonts                (Status: 301) [Size: 340] [--> http://bankrobber.htb/fonts/]
/phpmyadmin           (Status: 403) [Size: 1205]
/webalizer            (Status: 403) [Size: 1046]

http://bankrobber.htb/admin/
You're not authorized to view this page

http://bankrobber.htb/generic.html
Similar website (old); links not working.

http://bankrobber.htb/notes.txt
- Move all files from the default Xampp folder: TODO
- Encode comments for every IP address except localhost: Done
- Take a break..

# login page is on the index.php itself
# sends POST request 
# default creds admin:admin; nothing happens

# register is also on index.php
# sends POST request
# response
http://bankrobber.htb/index.php?msg=User%20created.

# login as kashz:kashz
POST /login.php HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://bankrobber.htb
DNT: 1
Connection: close
Referer: http://bankrobber.htb/index.php?msg=User%20created.
Upgrade-Insecure-Requests: 1

username=kashz&password=kashz&pounds=Submit+Query

# fetches /user/
GET /user/ HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bankrobber.htb/index.php?msg=User%20created.
DNT: 1
Connection: close
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
Upgrade-Insecure-Requests: 1

# cookie is just b64.
# interesting js file is requested
GET /js/transfer.js HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://bankrobber.htb/user/
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D

Trying XSS

Previous3 admin backdoorchecker.phpNext1 recon

Last updated