HTB Secnotes -SQL injection & CSRF
xss vuln ---
What requests are being sent?
direct URL? --> put "http://Attackers_IP:9001" in a comment section and see what it does!
nc -nvlp 9001
got a connection back!
create a test page
host the page on pythom httpserver and see what it does --> does the link actually work?
if it works, this would change the password of the particular user account like admin's
IIS server open and you have a smb share access on the web root.
try to create a web shell and upload it > access it!
RCE confirmed?
Uploading nc.exe (googling nc64.exe) tends to get a stable shell on windows!
----
lnk found?
get-content ~.lnk
admin password was hidden inside of it > psexec win!
Last updated