XSS
Found 2 related articles
Back to Tags- 2024-12-05
TheStickerShop - Stored XSS Leading to Data Exfiltration
Technical writeup detailing the compromise of TheStickerShop. The primary vulnerability exploited is a Stored Cross-Site Scripting (XSS) vulnerability found in the 'Feedback' form on the Python/Werkzeug web server (8080/tcp). The attack leverages a custom JavaScript payload to bypass a 401 Unauthorized error, fetch the restricted 'flag.txt' file, encode its content in Base64, and exfiltrate the data to an attacker-controlled HTTP server via an Image object request.
- 2024-11-27
Alert - XSS to LFI, Hash Cracking, and Group Write Privilege Escalation
Technical writeup detailing the compromise of the Alert Linux machine. Initial access is gained by chaining a Stored XSS vulnerability in the Markdown viewer to a Local File Inclusion (LFI) vulnerability in an internal /messages endpoint. LFI is used to exfiltrate an Apache MD5 hash from the .htpasswd file, which is then cracked via Hashcat to obtain SSH credentials for the 'albert' user. Privilege escalation is achieved by identifying a high-privileged PHP process running as root in a directory with group write permissions (management), which the 'albert' user belongs to. The configuration.php file is modified to set the SUID bit on /bin/bash, granting a root shell.