Holiday Video by IppSec

Articles Mentioned:
https://ictf.cs.ucsb.edu/pages/the-20
https://thehackerblog.com/poisoning-t

00:46 - NMAP Scan and Review
01:53 - GoBuster and identify User Agent based Routing
04:09 - SQLMap the Login
08:00 - Login to the page
08:55 - Begin of XSS
11:15 - Bypass first XSS Filter
14:45 - Encoded JS Payload - Getting XSS to call back to us
16:56 - Using Python to encode JS which will call back to us.
24:25 - Executing the paylaod
25:06 - Stage 2 XSS Attack - XMLHttpRequest
31:30 - Troubleshooting, No code works the first time.
36:00 - Stage 2 Fixed.
40:57 - Initial access to /admin
42:00 - Finding Command Injection
43:40 - Explanation of IP “Encoding”
48:40 - Rev Shell obtained
49:30 - How I found out about the IP Encode Trick
51:40 - Begin of PrivEsc

I can’t get admin cookies, I got the header but not “cookie=”, I dont figure out IP/ippsec in holiday.js, it seems that req2.send(params) doesnt work in my case.

thanks kaaerrieme, fixed, sorry…

Gotta type it correctly, very easy to mess up – Sorry don’t generally share the code I use as in copy-pastable format. Want people to type it out, so if they make errors they can learn how to troubleshoot.

I know its frustrating but there is a reward at the end of the tunnel when you figure out what the issue was.

i agree, better to type out, than paste, i fixed it, and also i learnt another way.

I get the cookie, but when i paste it in my browser(tried with firefox and also chrome) and i refresh i get unlogged instead of being able to access the admin page. Any hint? :-/